Video


Big Data and GDPR - profiling change based on collected information

Posted: by Jan Nawrot

Category: gdpr | marketing | cybersecurity |

Data is the most important resource in 21st Century that can easily gain market advantage. The General Data Protection Regulation (GDPR) provides the answer to people’s needs and support for the digital single market. But what about the proper functioning of Big Data?



How can Big Data be used?



Areas such as commerce, industry, administration, science, and health care have changed dramatically in the wake of Big Data. The same thing has happened with Big Data and marketing , whose representatives, by means of available data, can more effectively conduct actions in consumer space. With the use of Big Data tools and statistical analysis, you are not only able to observe existing market trends, analyze the relevance of your products/services, forecast the demand for individual goods, but also segment your customers and build their profiles based on given information. Big Data tools for compiling and analyzing the data obtained, gives the opportunity to see certain standards and thus make better business decisions.

Personal and non-personal data of individuals

Marketers have noticed the benefits of connecting Big Data and marketing in their daily work or in conducting specific campaigns. Data sets are defined as a combination of personal and non-personal information, where logical relationships are sought, and then used to make changes expected by the market. Non-personal data are information which is observed, derived or deduced, which has not been communicated intentionally by the subject and is a supplement to personal data.

Most often data is acquired with analytical methods, machine learning, algorithms, pixel markers and cookies. These activities, however, involve the risk of using personal data outside the main purpose for which they were collected (e.g., to identity theft or financial fraud); and inconsistent data management. A good example can be using false or misleading information in the profiling, which may affect the reputation of the person; an occurrence of intolerance towards some groups due to unsuccessful profiling. This has led to the tightening of the profiling process and companies are forced to check if they use measures to reduce the risk of privacy violations (e.g. pseudonymization, tokenization, data minimization techniques).

GDPR and changes in creating customer profiles

In the GDPR, profiling was change and have been taken into account from the point of view of individuals living in the European Union, whose information is collected by various organizations. First and foremost, a definition of "profiling" has been created within the framework of GDPR, which in essence means to create "knowledge" about consumers based on their behavior within the used network services, keeping them fully aware of the process (information about the profiling and its predicted consequences has to be delivered clearly and precisely).

A clear, unambiguous and voluntary consent of the subject was considered as the basis for the profiling activities. In addition, prohibition of profiling with sensitive data and reporting of profiling activities have been introduced. People who know about profiling may be reluctant to consent to data processing (concerning e.g. their age, sex, date of birth, location, interests, shopping behavior, etc.), which in turn impedes the personalization of the offer or the creation of targeted marketing communications. It is important to remember that within the framework of the Regulation, obtaining adequate personal consent concerns both newly created data sets and those existing in the past.

Profiling consists of the following elements:

  • it must be an automated form of processing,
  • must be based on the obtained personal data,
  • its purpose is to identify the personal aspects (preferences, habits, interests) of a particular subject.

GDPR - profiling categories

There are two categories of profiling. The first one is based on provided information about an individual, while the other is based on artificially generated knowledge of the subject, based on, for example, statistics. Based on GDPR profiling can take two forms: common (with the necessary human work) and automated (involving computer programs evaluating and making decisions). Trusting computer programs to consider issues always involves some risk, for example in the form of an unjust denial of access to goods/services. In such cases, organizations must ensure that there is a rapid human intervention and that the subject retains the right to change or deny any decision taken on the basis of automatic processing.

GDPR prohibits the use of sensitive data to make automatic decisions (for example concerning a person’s health or economic circumstances), unless the individual has given his or her consent, or when the decisions are necessary for public interest. When organizations want to collect personal data, they should first select appropriate processing methods, inform about the purpose of collecting personal data, and provide an adequate legal basis. In addition, a natural person may at any time request insight into the collected data or object to any form of profiling. Organizations are required to guarantee the rights under GDPR, and must therefore monitor the state of the information provided, for example with the use of an analytical platform which enables data flow monitoring, detects whether the obtained consent has not been withdrawn or changed, and verifies whether the collected material is fully secure.

The Regulation is not intended to impede industries involved with Big Data, but primarily it is an impulse which will encourage organizations to be responsible for managing data and security. They will be able to organize an audit of their databases; clean up the database of unnecessary materials, and even find valuable data that have so far been ignored. The marketers will start looking at the campaigns more closely and will assume some responsibility for possible data breaches. More about digital security in campaigns you can find on GDPR and marketing article.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Udostępnij
Read more:
Step-by-step preparation for GDPR - checklist
GDPR

Step-by-step preparation for GDPR - checklist
An overview of the Regulation and its most frequently discussed issues
GDPR

An overview of the Regulation and its most frequently discussed issues
How was GDPR introduced? Facts.
GDPR

How was GDPR introduced? Facts.
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to [email protected], or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: [email protected].

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact