Business Analyst after GDPR –
task minimization or information overload?
GDPR will affect Business Analysts with a very high probability
Experiences from the last six months’ GDPR work vary widely among companies. Some companies have much left to do. Others find the process significantly easier. Most understand the basic ideas of PUL. Few, however, have control over the detailed content. Some companies still manage to maintain excellent control. Others implement solutions that work very effectively. Regardless, the introduction of GDPR will affect companies with a very high probability. As a Business Analyst after GDPR, there will be new requirements.
Data minimization and GDPR
Many companies have neglected data minimization practices. They lack clarity on the purpose and objectives of collected information. A consequence of this is that all companies store more information than is really necessary for today’s operations to continue.
In Article 5.1b of the Data Protection Regulation we can read the following:
”[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
If we read further under 5.1c, one writes
”
[Personal data shall be]
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”.
Business Analyst to prevent information overload
But everyone also needs to think about tomorrow. This is often where information overload comes into play – it is used to search for tomorrow’s business opportunities. Is it so bad to collect information, anonymized beyond recognition without the possibility of retrieving the origin? The purpose of GDPR is not to make business development more difficult, but to prevent the violation of personal privacy. How big are the risks then? In article 89.1 we can read the following:
"Processing for... research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. 3Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. 4Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner."
We can therefore use personal data to find new business opportunities. The safeguards requirements in 89.1 must be met, and the purpose of data collection must be clearly stated. Some security solutions use behavior as a reinforcement for identification. This involves collecting data on how users behave when using tools within the domain. Does it work to collect consent consisting of unspecified data to search for future improvements and business opportunities? As we mention above, Article 5.1b states:
[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
It is important to keep track of your information, i.e. where it is and how it is handled. Deficiencies in this area undermine credibility when justifying data collection. They weaken arguments for purposes tied to future needs.