Knowing customer needs and acting accordingly – hardly possible without the respective customer insights. In these times of big data, many companies are relying on data-driven business models to analyze large data volumes and obtain insights into customer wishes and needs. With customer analytics, companies can analyze customer data to get to know their customers better and leverage potential like addressing customer needs with individualized offers.
The focus in customer analytics lies on customers, i.e. on real people. Accordingly, personal data is processed in the respective big data applications, which in turn is subject to data protection laws. So how can compliance with data protection requirements be guaranteed in this climate of data-driven business models?
Data protection laws spell out various principles (see Art. 5 GDPR) that fundamentally apply for all cases in which personal data is ´processed. That includes:
The Principle of Data Minimization in particular presents a challenge in big data applications, as big data is based on the exact opposite – specifically, on processing the largest data volumes possible. Therefore, in order to guarantee compliance with data protection requirements, it makes sense to split big data analyses into various phases. Data scope can vary within those phases in accordance with the desired objective.
Modeling focuses on using random analyses to find out which data can be an aid in extracting certain insights. The insights from those analyses can be used as a base for conceptualizing corresponding algorithms. Modeling can generally work with anonymous data, i.e. personal association is not necessary. If there is no personal association, then instances of this kind of processing won’t be pertinent to data protection.
2. Model application
When data is analyzed with the conceptualized algorithms, it can result in segments that reflect certain insights. One example here would be: On Monday morning between six and nine is when the most business people fly from Hamburg to Munich. These kinds of statistical analyses can also be carried out without personal association, which means they are not relevant for data protection.
What is more interesting, however, are analyses that do have a personal association, where the objective is to obtain certain information about specific individuals. These kinds of analyses are indeed pertinent in data protection. They quickly fall into the sphere of profiling, which is also explicitly named in the EU’s General Data Protection Regulation that entered force on 25 May 2018. Article 22 of that Regulation states: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” That also includes analyses aimed at creating certain forecasts regarding a person (e.g. behavior, interests, location), provided those forecasts produce a legal effect for the data subject as laid out in the Regulation or in some other way significantly compromise the data subject.
In general, these kinds of analyses can only be legitimized through consent issued by the data subject in a valid manner. Valid declarations of consent are those where the consenting party has understood the scope of data processing on which the consent is based. Additionally, consent can only be declared in a valid manner at the point in time of data collection. Consent is always related to an explicit purpose. The possibility of revocation at any time (with effect for the future) must likewise be given to the data subject. In order to obtain valid consent, the purpose and scope of the evaluation of personal data must be clear. The data subject must be informed such that they recognize the scope of the respective data processing.
It would be difficult to envision an analysis of personal data being legitimized based on the consideration of interests laid out in Art. 6 (1) (f) GDPR. When balancing interests, the interest of a company, which is always manifest in general, stands in contrast to a data subject’s interests, which merit protection. A balancing of interests will pan out in favor of the data subject if it was not possible to recognize the extent to which the analyses of personal data would affect their personal rights. Profiling generally encroaches a data subject’s personal rights to a significant extent. Depending on the type of analysis, however, consideration must be made for data protection on the individual level, as violation of legitimate interests varies based on data depth.
3. Customer communication
In general, the findings garnered from the aforecited steps are not used to address individual customers. To the contrary, this is about presenting certain offers to certain customer segments. Those segments can be defined based on analyses done beforehand. A CRM system should be structured such that customers can be selected according to segment. Then it becomes possible to use a CRM to communicate with the customers of a selected segment in line with the access rights in place.
It is indeed possible to carry out customer analytics in compliance with data protection requirements and develop insights for data-driven business models. When data protection principles are observed through the corresponding measures, a great deal of options open up for gaining insights into customer needs and generating additional value for one’s own business. On the one hand, it’s important to access anonymous data to the greatest extent possible. On the other hand, a customer should always be transparently informed of how their data is going to be processed. That means data protection can also result in customer retention by establishing a foundation of trust. And that, in turn, boosts a company’s image.