Author: Etienne Oosthuysen
What is the European GDPR and how will it impact Australian organisations? We give you the low-down from an analytic tool perspective.
GDPR (General Data Protection Rules) is the European privacy and data protection law that comes into effect on the 25th of May 2018. This surely doesn’t affect Australian companies, right? Wrong!
The thing is, whilst the new regulation governs data protection and privacy for all EU citizens it also addresses personal data outside of the EU. The impact will be far-reaching, including Australian businesses, as all businesses concerned with the gathering and analysis of consumer data could be affected.
What the law says
According to the Office of the Australian Information Commissioner (OAIC), Australian businesses of any size may need to comply. In addition, all Australian businesses must comply with the Australian Privacy Act 1988.
Are these two laws complimentary? Some of the common requirements that businesses must adhere to include:
- Implementation of privacy by design approach to compliance
- An ability to demonstrate compliance with privacy principles and obligations
- Adoption of transparent information handling practices
- Appropriate notification in case of any data breach
- Conduction of Privacy impact assessments
But some GDPR requirements are not part of the Australian Privacy Act, such as the “right to be forgotten”.
We would suggest that Australian businesses firstly establish whether they need to comply with GDPR. If they do, then they should take prompt steps to ensure their data practices comply. Businesses should already comply with the Australian Privacy Act, but also consider rolling out additional measures required under GDPR which are not inconsistent with the Privacy Act.
Who is affected
In a nutshell, the GDPR applies to any data processing activities undertaken by an Australian business of any size that:
- Has a presence in the EU
- Has a website/s that targets EU customers or mentions customers or users in the EU
- Tracks individuals in the EU to analyse (for example to predict personal preferences, behaviours and attitudes)
Refer to the following link for more information: https://www.oaic.gov.au/media-and-speeches/news/general-data-protection-regulation-guidance-for-australian-businesses
Do analytic tools comply?
Once a need for your organisation to comply has been established, it is worth ascertaining whether the actual tools you are using for analytics comply; specifically regarding the last bullet point above (tracking and analysing individuals).
In the next section of this article we look at two common players in the analytics space; Power BI and Qlik, through the lens of GDPR (and by default the Australian Privacy Act).
The scope of GDPR is intended to apply to the processing of personal data irrespective of the technology used. Because Power BI and Qlik may be used to process personal data, there are certain requirements within the GDPR that compel users of these technologies to pay close attention:
- Article 7 states that consent must be demonstrable and “freely given” if the basis for data processing is consent. The data subject must also have the right to withdraw consent at any time
- Articles 15 to 17 covers the rights to access, rectification, and erasure. This means that mechanisms must allow data subjects to request access to their personal data and receive information on the processing of that data. They must be able to rectify personal data if it is incorrect. Data subject must also be able to request the erasure of their personal data (i.e. the “right to be forgotten”)
- Articles 24 to 30 require maintenance of audit trails and documentary evidence to demonstrate accountability and compliance with the GDPR
- Article 25 requires businesses to implement the necessary privacy controls, safeguards, and data protection principles so that privacy is by design
- Articles 25, 29 and 32 require strict data security access control to personal data through for example role-based access and segregation of duties
Microsoft Power BI
Power BI can be viewed through the lens of GDPR (and the Australian Privacy Act for that matter) via four pillars in the Microsoft Trust Centre. With specific reference to GDPR, Microsoft states, “We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning”. Microsoft released a whitepaper to provide the reader with some basic understanding of the GDPR and how it relates to Power BI. But meeting GDPR compliance will likely include a variety of different tools, approaches, and requirements.
Power BI is built using the “Security Development Lifecycle”, Through Azure Active Directory Power BI is protected from unauthorised access by simplifying the management of users and groups, which enables you to assign and revoke privileges easily.
The Microsoft Trust Centre clearly states that “you are the owner of your data” and it is not used for mining for advertising. http://servicetrust.microsoft.com/ViewPage/TrustDocuments?command=Download&downloadType=Document&downloadId=5bd4c466-277b-4726-b9e0-f816ac12872d&docTab=6d000410-c9e9-11e7-9a91-892aae8839ad_FAQ_and_White_Papers
From the Power BI white paper, “We use your data only for purposes that are consistent with providing the services to which you subscribe. If a government approaches us for access to your data, we redirect the inquiry to you, the customer, whenever possible. We have challenged, and will challenge in court, any invalid legal demand that prohibits disclosure of a government request for customer data.” https://powerbi.microsoft.com/en-us/blog/power-bi-gdpr-whitepaper-is-now-available/
Microsoft complies with leading data protection and privacy laws applicable to Cloud services, and this is verified by third parties.
Microsoft provides clear explanations on:
- location of stored data
- the security of data
- who can access it and under what circumstances
The BI vendor, Qlik, released a statement that declares “With more stringent rules and significant penalties, GDPR compels businesses to use trusted vendors. Qlik is committed to our compliance responsibilities – within our organization and in delivering products and services that empower our customers and partners in their compliance efforts.” – https://www.qlik.com/us/gdpr
Qlik released an FAQ document as a GDPR compliant vendor stating that they have various measures in place to protect personal data and comply with data protection/privacy laws, including GDPR:
- Legal measures to ensure the lawful transfer
- Records of data processing activities (Article 30)
- Ensuring Privacy-By-Design and Privacy-By-Default
- Data retention and access rules
- Data protection training and policies
For more information, please view the links below:
The two vendors discussed are clear in their commitment to ensuring their security arrangements can comply with GDPR. This does not mean that other major players (Tableau, Google, etc.) do not have the same initiatives in flight, we have only focused on Microsoft and Qlik.
Whilst there is no ‘magic button’ available to ensure all regulations are miraculously met, it is possible regardless of vendor:
- To ensure security policies can meet GDPR compliance
- To design with privacy in mind. Even though platforms may meet “privacy is by design”, your specific solution must still be proactively designed. You cannot simply rely on the vendor
- To conduct an appropriate solution audit with aligned to GDPR (or Australian Privacy Act) as a good final step
GDPR can indeed be a tricky landscape to navigate – if in doubt, check it out.
We can certainly assist in guiding you through the process from an Data and Analytics perspective.
Author: Etienne Oosthuysen