Business Analyst after GDPR  –
task minimization or information overload?

GDPR will affect Business Analysts with a very high probability

Experiences from the last six months’ GDPR work vary widely among companies. Some companies have much left to do. Others find the process significantly easier. Most understand the basic ideas of PUL. Few, however, have control over the detailed content. Some companies still manage to maintain excellent control. Others implement solutions that work very effectively. Regardless, the introduction of GDPR will affect companies with a very high probability. As a Business Analyst after GDPR, there will be new requirements.

Data minimization and GDPR

Many companies have neglected data minimization practices. They lack clarity on the purpose and objectives of collected information. A consequence of this is that all companies store more information than is really necessary for today’s operations to continue.

In Article 5.1b of the Data Protection Regulation we can read the following:

”[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.

If we read further under 5.1c, one writes

[Personal data shall be] adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”.

Business Analyst to prevent information overload

But everyone also needs to think about tomorrow. This is often where information overload comes into play – it is used to search for tomorrow’s business opportunities. Is it so bad to collect information, anonymized beyond recognition without the possibility of retrieving the origin? The purpose of GDPR is not to make business development more difficult, but to prevent the violation of personal privacy. How big are the risks then? In article 89.1 we can read the following:

"Processing for... research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. 3Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. 4Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner."

We can therefore use personal data to find new business opportunities. The safeguards requirements in 89.1 must be met, and the purpose of data collection must be clearly stated. Some security solutions use behavior as a reinforcement for identification. This involves collecting data on how users behave when using tools within the domain. Does it work to collect consent consisting of unspecified data to search for future improvements and business opportunities? As we mention above, Article 5.1b states:

[Personal data shall be] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

It is important to keep track of your information, i.e. where it is and how it is handled. Deficiencies in this area undermine credibility when justifying data collection. They weaken arguments for purposes tied to future needs.

GDPR

The General Data Protection Regulation, GDPR, is a new data protection regulation that will apply within the EU from 25 May 2018. The aim of the regulation is to strengthen the protection of personal integrity so that this fundamental right is in balance with other fundamental rights and legitimate societal interests. In addition to it, there will also be a new data protection law (Dataskyddslagen), which is Swedish additions to the GDPR.

Jan Wrangmark

Jan is an experienced manager with a great sense for quality. Jan has a broad knowledge of the financial sector with a strong connection to quality management, IT governance and operational risk management.

More interesting articles…