Around the world, countries are working to enhance data privacy protections as privacy breaches continue to come to light. The European Union (EU) recently passed a regulation that aims to harmonize privacy laws and reshape how organizations approach data privacy.
The General Data Protection Regulation (GDPR) was approved and adopted by the EU on May 15, 2018, and while it strives to protect consumers’ private information, it also poses a challenge to businesses that must comply with the new regulation. Companies that handle personal data must provide privacy safeguards by default (e.g., using anonymization where appropriate), so that the personal data will not be disclosed without explicit, informed consent.
“One important aspect of GDPR was to define whether certain data is personally identifiable or not based on the outcomes rather than the procedure,” said Nan Zhang, a newly minted Technology & Analytics professor at American University’s Kogod School of Business whose research focuses on data analytics and information privacy. “This means that if a company has anonymized the data, if it has been aggregated, then the data can be used by companies without being regulated by GDPR.”
This aggregated de-identified data, is based on a general definition of an outcome that the data that can no longer be linked with an individual customer. The problem with this definition, Zhang argues, is that every company has to make their own judgment call on whether the outcome was fully achieved or not.
Complicating matters further, it’s difficult to predict all of the potential ways data could actually be linked to a customer in the future. Zhang’s previous research on data analytics aimed to answer whether data can actually be stripped of all personal identifiers.
“The answer to that is there are actually a lot of possible ways to link de-identified data to individuals through inference,” he said. “[If data] doesn’t give you a deterministic linkage then [it] certainly [gives] a probabilistic linkage.”
Regulations like the GDPR may not alleviate our concerns on data re-identification or data inference, but it will give consumers the chance to explicitly consent to businesses using their data for specific purposes. And consumers, Zhang says, are still responsible for their information as they download apps and use services.
“The GDPR is making every consumers’ life easier [to be] responsible of [their] own information, but ultimately it’s still up to each individual user to understand the risks they put themselves in,” he said. “I think it’s important for individual users to understand the potential implications of disclosing such information before actually doing so.”
Zhang’s research runs the gamut for finding answers to these information privacy questions via the lens of data analytics. Through a National Science Foundation grant, Zhang and Kogod professor Heng Xu are conducting research on past consumer privacy choices that lead to privacy regrets. “Situation-Aware Identification and Rectification of Regrettable Privacy Decisions” helps users revisit and rectify these past decisions on information disclosure by identifying which choices they are most likely to revisit.
“What we wanted to do in that project is to essentially develop technologies that would be able to gently alert you of such potential privacy regrets,” he said. “This sounds like a very simple idea but if you actually think about how to implement it, you find that a key challenge is that you can’t just pop up alerts for every privacy decision people make because they make a lot of them.”
Instead of pushing a notification out for each app, Zhang and his team determine which app’s data permissions a user might revisit most in the future through an analytical approach. Once determined, notifications would only be sent out about the apps believed to be associated with privacy regret.
Data protection isn’t just up to the consumer. Zhang predicts that in the future, companies will have to responsibly store data if they want to have a good relationship with their customers and that the GDPR may be the first step to building that trust.
Since the GDPR has only been around for about six months, there’s no telling what it will achieve as businesses begin to comply with the regulation.
“I’m uncertain at this moment about what kind of a landscape we will see in a few years in terms of what compliance with GDPR will look like,” he said. “Certainly any kind of regulation like this we’ll have to balance between the benefits it brings to the privacy protection of consumers and the extra burden it places on companies. Until all of these details and uncertainties are settled, it is difficult to reach a final conclusion on whether it’s heading towards a sustainable future.”
So, what was the last app you downloaded? If you can’t remember, you might want to check your privacy settings.