What is Personal Data? What are the Key Issues in Data Protection for Corporates and Investors?

A rise in the number of devices has contributed to increasing amounts of generated data.

Global IP traffic

What is Personal Data?

Personal data is information about a person that refers to an individual.

Some types of data may be directly personal:

  • Name
  • Email address
  • Home address
  • Phone number
  • Work history

Personal indirect Data is a description of someone which still enables identification. Personal Data may define race/ethnic origin, religious beliefs, political views, sexual orientation, and health conditions, and may demand more strict regulatory requirements. In some situations, consumers provide personal information for free. In others – data is found by giving consumer’s search history, location data, or buyer’s profile. Artificial intelligence and machine learning will drive inferred data.

Applications of Artificial Intelligence

Data on its own may not stand out as personal data, but when combined with other data it may be private if it identifies information about an individual. The ability to de-anonymise data has increased due to numerous facts. Marketers have become too liberal in the collection of consumer data. It describes radioactive data like customer data, e.g., personally identifiable, which could violate a business agreement if lost. There are about 15 data types, 6 of them are considered radioactive and 7 are considered toxic.

Forrester's Customer Marketing Data

What are the Purposes of Data Collection?

There are eight purposes of data collection.

Online/Targeted advertising

One reason for collecting user data is providing the ability to deliver more targeted advertising, based on consumer’s features and demographics. Programmatic advertising became a result of buyer’s tracking. The rise of cookie leaking/syncing enhances the ability to target. According to a report, 5{3fbfd6f1e6b19884051837dbbbebf333964dd5fac151615ffbd47b80e5ecc87a} digital marketers of 83{3fbfd6f1e6b19884051837dbbbebf333964dd5fac151615ffbd47b80e5ecc87a} consider that people-based campaigns perform better than cookie-based.

Personalise and improve products/services

User’s Data is utilised by site hosts to improve website performance, as well as to personalise content and products, offering to individual consumers.

Fraud Prevention

Analysis of data is used to detect fraud and to identify suspicious activity. Both fraud and the incidence of “false positives,’’ i.e., the rejection of a valid transaction can be a significant problem for financial institutions and merchants. Allowing a fraudulent transaction can require the merchant financially, but it can cost the financial institution as well, depending on the nature of an operation. Machine learning improves fraud detection as well as reduces the incidence of false positives.

Business Efficiencies and Processes

By retaining customer data, an online retailer can pre-fill forms, e.g., delivery and card details. Data can also be used to decide what products to stock by location.

The remaining four reasons relate to a combination of data selling, leakage, sharing, and discrimination.

Several companies sell anonymised data to other parties, e.g., telecom companies may sell data for geolocation tracking, and credit card companies sell these data to advertising companies. First-party data may also give their data to other parties to complete transactions, conduct surveys, and prevent fraud/for security, or marketing.

How are consumers tracked online?

There are many data trails that we leave as consumers, online and offline. They rise as the use of technology becomes more established in everyday life. Technological progress  has resulted in a significant increase in online tracking.

How To Measure Online And Offline Data

Cookies are the most spreading way of tracking/collecting data which usually contain a string of text as a “unique identifier.” Storing relevant details about a user’s interaction with a site and preferences in this way helps facilitate a more user-friendly experience. When a member returns to a particular website, cookies allow the website to recognise a user’s web browser and remember information about him.

There are different types of cookies:

  • Session cookies: Enable websites to link the actions of a user during the browser session
  • Persistent cookies: Allow to check user information and settings/preferences
  • First- and third-party cookies: Refer to the website or domain placing the cookie

It is usually the persistent, third-party and tracking cookies which are of most concern from a privacy perspective. These cookies are hard to delete and they have expiration dates that can extend with the website.

Flash cookies have also become popular. This information can be kept on a computer which is designed to save data, e.g., scores on games. It is difficult to delete them in the same way as other cookies, which means some companies use them to reload other cookies back onto a computer.

We can also distinguish ‘Super Cookie’ and ‘Zombie Cookie.’ A super cookie is designed to be permanently stored on a user’s computer and is harder to find out and remove than regular cookies. A Zombie Cookie is projected to return to life after being deleted.

Cookies - European commission Cookie Policy

There are some newly developed forms of tracking:

Fingerprinting involves collecting unique identifying patterns of information to define a specific device or application. It often consists of gathering unique identifying patterns of information

  • Web Beacons / Pixel Tags are small objects embedded into a webpage or email which are not visible to the user. When a page with one of these objects loads, it will make a call to the server for the object, and this allows the company to know that someone has loaded the page
  • Mobile Tracking

A new age of connectivity has influenced on such openings.

There are several ways of consumer’s mobile tracking:

  1. Advertising ID: Apps downloaded on a phone show advertising based on advertising IDs. These include Apple’s Advertising Identifier (IDFA), Android’s Advertising ID and Facebook App User IDs
  2. Wi-Fi: When a phone is linked up to a Wi-Fi network, sensors can use the phones media access control (MAC) address to track movement, e.g., around a store
  3. Carrier: The mobile carriers may provide de-identified data to third parties for advertising and other purposes
  4. GPS: Geolocation tracking (via GPS satellites), e.g., if you pass a particular restaurant on a regular basis, the restaurant could use the information to offer a coupon
  5. iBeacons/Antennas: Small wireless devices that use radio signals to communicate with mobiles/tablets
  • Facial Recognition uses biometric software which identifies individuals in a digital image
  • Cross-Device Tracking pulls together disparate datasets to create a picture of consumer behavior/usage as device proliferation has increased

Data protection is not only a dynamic space in Europe. Technological trends are driving changes on a global scale. The implication has been growth, and rising heterogeneity, in the data protection landscape.

Data protection

The United States has taken a more principle and sector-specific based approach than the European Union. U.S. regulators have been willing to work collaboratively with industry operators, encouraging self-regulation. Legislation has been used to address specific risks.

Fair Practice Principles

Modern Data Protection in the United States remains based on traditions stemming from ‘fair practice’ principles first enunciated in 1973.

California Has Been the Pioneer at a State Level

Some states have led the way in privacy regulation, pushing ahead of the Federal Government.

In some cases, state provisions can converge to a considerable degree. For example, a notification requirement exists in 47 U.S. States as well as the District of Columbia and Puerto Rico. Despite this, there are significant divergences in areas where states have specific concentrations regarding industry exposure, such as New York for financial services.

Industry-Specific Approaches; From Self-Regulation to Legislation

There is sector-specific legislation that includes requirements around Data Protection. The framework applies to all businesses that use consumer data.

The framework has three key components:

  • Privacy by Design
  • Simplified Consumer Choice
  • Transparency

Asia-Pacific Economic Cooperation (APEC) Privacy Approach Economically Driven

APEC’s aims in the area of data protection are exclusively economic. The framework builds public confidence in the safety and security of data flows and to realise the potential of electronic commerce. It is a contrast to Europe where the critical aims of data protection revolve around the protection of fundamental rights and freedoms.

What are the Main Issues for Corporates and Investors in Data Protection?

  • Although the opportunities from data are significant, a lot of speakers have underplayed and underestimated the challenges associated with ensuring ePrivacy and adequately protecting personal data.
  • The implementation of the GDPR in May 2018 represents one of the most excellent events in ePrivacy/data protection regulatory history. The regulation is a game changer regarding not only its scope and ambition but also the significant penalties for non-compliance.
  • The purpose of the developing data protection regulation in Europe is the transferring power to consumers, and in the end, the increase of transparency and trust in how companies use consumer’s data. Best case, consumers become more trusting. The outcome being that data quality improves, and data as an asset increases in value.
  • The very same companies that the GDPR was potentially designed to constrain will probably end up being least affected. Of course, there will be increased regulatory costs associated with compliance, but those larger companies that already have consumer trust and the necessary resources to remain compliant with much stricter and more complex EU rules will likely be less disrupted than smaller enterprises. For all companies, it will probably require a cultural change.
  • The asymmetric approach toward regulation between different regions could lead to a similar level of asymmetry regarding access to investment and 21st century consumer services – artificial intelligence, machine learning, and the Internet of Things.

It is in the interests of companies to provide comprehensive data privacy assurances. The World Economic Forum estimates that capturing the share of data privacy-conscious consumers should put about $330 billion at stake in 2015-25. The number of buyers moving to companies with strong data privacy measures is estimated to grow from 5{3fbfd6f1e6b19884051837dbbbebf333964dd5fac151615ffbd47b80e5ecc87a} in 2015 to 25{3fbfd6f1e6b19884051837dbbbebf333964dd5fac151615ffbd47b80e5ecc87a} in 2025.

Highlights:

  • Personal data is any information relating to an identified or a living person
  • The purposes of data collection are diverse
  • Cookies are the most spreading way of tracking/collecting data
  • There are five key issues for Corporates and Investors in Data Protection

https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-data

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

Author: Alexej Pikovsky

Passionate about investing in private and public companies and a successful track record across different industries and geographies. German Academic Foundation Scholar and Research Affiliate at the Centre for Global Finance and Technology at Imperial College London. Addicted to reading and sharing industry deep dives. Enjoy!