In 2018 the European Commission published far-reaching rules on data and data privacy known as GDPR or General Data Protection Regulations. These regulations put limitations on what others can do with your personal data.
What is personal data ? The European Commission GDPR website gives the following explanation:
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
Examples of personal data include
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone)*;
- an Internet Protocol (IP) address;
- a cookie ID (in some cases, there is a specific sectoral legislation)
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
The document It’s your data - take control: data protection in the EU gives the following information.
When processing your data organisations have to provide you with clear information relating to the use of your data, this includes information such as:
- for what purposes your data will be used
- the legal basis for processing your data
- how long your data will be stored
- with whom they’ll share your data
- your basic data protection rights
- whether your data will be transferred outside the EU
- your right to lodge a complaint
- how to withdraw your consent, if you have given it
- the contact details of the organisation responsible for processing your data and their Data Protection Officer if there is one.
Personal data can only be collected and processed for a well-defined purpose. When collecting your data a company must tell you what purpose your data will be used for. They must also make sure that only relevant data is processed and the data is not kept longer than necessary.
There is much more to GDPR than this, but it gives an idea of what personal data is and some of the constraints on its use. It is very relevant to data science because it puts limitations on what data scientists are allowed to do, and it puts limitations on what individuals and organisations are allowed to do.
When collecting data from websites, the owner should always make it GDPR compliant.
With Google Analytics there should be no problem. In an important article We are committed to complying with applicable data protection laws Google writes:
We are always working to stay compliant, which helps make compliance easier for your business. We encourage regular audits, maintain certifications, provide industry-standard contractual protections, and share tools and information you can use to strengthen your business’s compliance.
This article has the following section on Google’s commitment to GDPR:
Our commitment to GDPR
We are working hard to prepare for the EU’s General Data Protection Regulation (GDPR). Keeping users’ information safe and secure is among our highest priorities at Google. Over the years, we have spent a lot of time working closely with Data Protection Authorities in Europe, and we have already implemented strong privacy protections that reflect their guidance. We are committed to complying with the new legislation and will collaborate with partners throughout this process.
You should bear in mind GDPR for data science in general. However, Google Analytics is already committed to be GDPR compliant. Even so the regulations apply to everyone, and we accept our responsibility to ensure that data collected on this course adhere to GDPR rules.
What do you think?
Do you think GDPR is a good idea. If you are not in Europe, do you have anything equivalent in your country? Do you have any examples of personal data being misused? Do you think that our use of Google Analytics is within the spirit of the new regulations?
Google. We are committed to complying with applicable data protection laws https://privacy.google.com/businesses/compliance/#?modal_active=none