80 likes | 278 Views
Analytics: Perils and Promises of the new EU Privacy Law "GDPR". Axel Arnbak. ABN AMRO, Beyond Banking, 8 June 2018. GDPR is here to stay: Impact hard to underestimate for companies. Fines up to EUR 20,000,000 or 4% of annual worldwide turnover of an "undertaking"
E N D
Analytics: Perils and Promises of the new EU Privacy Law "GDPR" Axel Arnbak ABN AMRO, Beyond Banking, 8 June 2018
GDPR is here to stay: Impact hard to underestimate for companies • Fines up to EUR 20,000,000 or 4% of annual worldwide turnover of an "undertaking" • Consent strict requirments, burden of proof • Transparency expanded requirements to inform consumers • Data rights forindividualsbroadened: access, data portability, erasure • Accountability able to show exactly what you're doing, e.g. data processing record • New obligations Data Protection Impact Assessments, Privacy by design/by default • Data Protection Officer obligation to employ an 'internal watchdog' • Profiling prohibited, unless… Much stricter regime • Data security breach reporting requirements introduced (NL: existing duties expanded) Take note - new opportunities for big data analytics: Pseudonymisation
The rise of AI Analytics: Selfies for Life InsuranceGDPR compliance possible, requires serious effort Lapetus: How it works • Take a selfie • AI analyses 1000+ datapoints • Ageing, Gender, BMI • Whether you smoke • Disease detection • AI combines analysis with 'biodemographic' information • 9 personalised questions • Immediate quote Zurich UK: FaceQuoteapp • Launched 15 Jan. 2018
GDPR: profiling perils, big data opportunitiesCreate separate profiling and analytics database 'Profiling' requirements increasingly strict • Art. 22: profiling prohibited, unless.. ? • Consent, necessary for performance of contract • Rec. 71: over 30 criteria re: profiling (!) • Art. 12-16: user rights enhanced • New rights to human intervention, data erasure, algorithmic accountability, evaluation 'statistical methods' etc. 'Big data' opportunities through pseudonymisation • Rec. 50: analytics compatible w/ original collection purposes: no separate legal basis (e.g. consent) Step 1: Remove identifiers in legacy databases, store separately Step 2: Perform big data analytics Step 3: Obtain consent and re-identify customers for marketing
GDPR: pseudonymisation, correctly applied, provides opportunity for advanced analytics All writings available at: https://axelarnbak.nl/
Remember with innovative analytics: data ethicseven if legal, not always accepted by consumers