Back in May, the word on everyone’s lips was GDPR. The General Data Protection Regulation (GDPR) was googled more often than Beyoncé. Not many people really understood why they were receiving an email from a service provider they signed up to back in 2009 asking them to please opt-in to future email communications. With personal data being such a big issue in the news lately, there was a real need to understand exactly what was going on.
Although GDPR went into effect a while back, replacing the outdated Data Protection Act from 1998, GDPR compliance is an ongoing priority for PureClarity. It’s interesting to see how, if needed, PureClarity’s service solution has changed its processes due to the new regulations. As PureClarity’s premise is to maximise sales for businesses who trade online using Big Data and AI algorithms we felt it was important to show how SaaS companies like ours have adapted, where necessary, to ensure full compliance.
We decided to ask the experts. Ian Lawson, our Chief Technical Officer, and John Barton, Head of Development, sat down to answer all our questions on GDPR compliance.Before we dive in, a quick refresher: GDPR, as defined by Wikipedia, is ‘a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.’
So what does this mean for PureClarity?
What were the main perceived challenges presented to PureClarity with the introduction of GDPR?
Ian: One of the main features of the PureClarity platform is to identify users, data mine trends, and give personalised recommendations. We had to balance that functionality with the protection and rights of users’ personal data, which meant we had to re-think a couple of areas where we store data. Another challenge was to ensure expired or deleted data stayed expired in the event of a backup/restore event.
What changes did PureClarity need to undertake?
Ian: We made fundamental functional changes to the PureClarity platform to support the ability to anonymise visitors throughout the system. To support this, we introduced a section in the admin that allows for the look up and retrieval of data that we collect on visitors in order to respond to visitors’ requests for their data. From here admin users can request the removal of users’ details.
John: On top of this we ensure that user identifiers are stored using a secure “one-way hash” so that if PureClarity is sent a user’s data, via a user feed or by via a user logging in on a website, we can encrypt the user identifier and compare it against existing anonymised users so that we don’t store any information again. Finally, all data is now set with an automated expiration tag, so that data is forgotten after a set amount of time. We don’t store anything more than the system requires to give customers great features.
What different considerations are there for companies who process Big Data? How transparent does PureClarity need to be in terms of the algorithms used to drive the AI?
Ian: I think, as already mentioned, the importance of not storing data longer than is needed poses a huge challenge for companies whose core feature is based around the storing and mining of big data. With so much information required, and the various structures of data, careful consideration should be given to how to dispose of data that is no longer used. For example, what visitors viewed in the distant past isn’t as relevant as what they viewed yesterday.
John: For a company like PureClarity who’s core business is based on “personal” and “personalization” it’s of the greatest importance that we are transparent when it comes to how we use visitors’ data. It’s also important to show that identifying trends and making real-time suggestions can be done without the need to store personal information of a user, such as their name, age etc. We’ve worked hard to ensure that we can fully show what information we collect on website visitors, and that we can continue to provide great functionality without the storing of personal data.
‘Big Data is completely opposed to the basis of data protection’. Do you have a comment on this statement?
John: I disagree, big data can mean the storage of web logs and web traffic activity etc without storing users’ information. Data Protection, in particular the new regulations, applies to any data, not just big data, and is more concerned with what and how it’s stored.
What steps have PureClarity taken to ensure that no one can be identified from the collection of Big Data?
Ian: As previously mentioned, we can anonymise users’ information, and that data is securely stored. We adhere to ISO27001 and thus access to data is tightly controlled.
Have you seen a change in the level of data you are getting access to?
John: No, customers are still sending the similar levels of data, and to date we’ve had very low requests for anonymity. This shows, I think, that we have successfully communicated to our customers that we have taken GDPR seriously and provided functionality to support the protection of personal data.
Have you provided any advice to customers on how you are dealing with GDPR compliance and the explicit consent needed to process personal data?
Ian: As part of complying with GDPR, we are required to provide information to our customers about how we handle their data. We have updated our data policy in line with this and have provided our existing customers with details on new functionality within PureClarity that allows them to manage users’ data.
What advice would you give to other companies regarding GDPR based on what you have learned?
John: GDPR isn’t a punishment for companies that collect Big Data, it’s more to ensure that companies change their mindset to have personal data at the forefront of everything they do. This applies not only to the technical and functional sides of a business, but also to the wider processes and operations within the organisation.
My takeaway would be three-fold:
- Hold any data you have securely.
- Review what data you are holding, and for how long you are going to hold it for.
- Make sure you have a reason for using any data you hold and make this clear to your customers.
Ian: We have proved that a system like PureClarity can continue to provide amazing personalised results for website visitors whilst still respecting their personal data.