During the first half of the year, organizations that process personal data were quite busy with putting new legislation into practice. The EU General Data Protection Regulation (GDPR) forced companies and other organizations to consider which of their old practices they needed to abandon. In the process, smaller organizations in particular may have destroyed useful registers, as they lacked the resources to determine how to create the necessary processes and get the necessary statements of consent. Making changes to processes was easier for professional data processors. They were able to focus more on the new opportunities that the GDPR is creating. In addition to strengthening the rights of data subjects, the GDPR aims to create new business.
New business from data?
A while ago, I read The New Oil, a thought-provoking book by Arent van 't Spijker about creating new business by making use of data—the new oil. The examples in the book illustrated well how the individual’s rights and the effective use of data must always go hand in hand. Otherwise, problems will emerge.
In 2009, Netflix announced a competition for groups of researchers to develop recommendation algorithms for movies. From the company’s databases, each group was given 100 million user recommendations without any other personal data than the user’s running ID number. The prize for the best improvement was one million dollars.
Disclosing completely anonymous data may seem perfectly harmless, but the controller of an individual register cannot know how the data will be combined. Many American Netflix users also use the movie website IMDB, where their recommendations are not anonymous. By combining Netflix data with IMDB data, one of the groups was able to identify a large number of Netflix users based on their recommendations. And sensitive personal data, such as political views or sexual preferences, can be concluded from movie tastes. Netflix was sued because of the competition, which had to be discontinued.
In hindsight, the problem was not so much the disclosure of the data as the lack of rules for its use. If data cannot be transferred at all, all development will be hindered. However, it is important to understand that anonymous data will not remain so in practice. For example, outside large towns and cities, many people can be identified based on their age, gender and postal code.
With this in mind, we have entered into data processing agreements with our customers and partners this year, with the total volume of these agreements being hundreds of pages. When we have established clear rules, we can start planning how to make use of data. In the best case, we have been able to monitor the success of recruitment decisions and identify which business director profiles generate the highest increase in net sales, for example. With sound agreements in place to safeguard each individual’s rights, data may well become the new oil.