Customer Analytics – Gaining Customer Insights in Compliance with Data Protection

Customer Analytics – Gaining Customer Insights in Compliance with Data Protection

Knowing customer needs and acting accordingly – hardly possible without the respective customer insights. In these times of big data, many companies are relying on data-driven business models to analyze large data volumes and obtain insights into customer wishes and needs. With customer analytics, companies can analyze customer data to get to know their customers better and leverage potential like addressing customer needs with individualized offers.

The focus in customer analytics lies on customers, i.e. on real people. Accordingly, personal data is processed in the respective big data applications, which in turn is subject to data protection laws. So how can compliance with data protection requirements be guaranteed in this climate of data-driven business models?

Customer analytics: Compliance with general data protection principles

Data protection laws spell out various principles (see Art. 5 GDPR) that fundamentally apply for all cases in which personal data is ´processed. That includes:

  • The Purpose Limitation Principle:
    Personal data may only be processed for the purpose for which it was collected.
  • The Transparency Requirement:
    Every data subject (e.g. customers) should be able to recognize the purpose for which the data they are associated with is being processed. It should be ensured that data subjects are able to decide themselves which company knows how much about them and why.
  • The Need-to-Know Principle:
    The data to be processed is the data that is actually necessary for the processing.
  • Data minimization:
    Data processing may only include as much data as necessary for the purpose of data processing.

The Principle of Data Minimization in particular presents a challenge in big data applications, as big data is based on the exact opposite – specifically, on processing the largest data volumes possible. Therefore, in order to guarantee compliance with data protection requirements, it makes sense to split big data analyses into various phases. Data scope can vary within those phases in accordance with the desired objective.

Big data applications can be subdivided into three steps

1. Modeling

Modeling focuses on using random analyses to find out which data can be an aid in extracting certain insights. The insights from those analyses can be used as a base for conceptualizing corresponding algorithms. Modeling can generally work with anonymous data, i.e. personal association is not necessary. If there is no personal association, then instances of this kind of processing won’t be pertinent to data protection.

2. Model application

When data is analyzed with the conceptualized algorithms, it can result in segments that reflect certain insights. One example here would be: On Monday morning between six and nine is when the most business people fly from Hamburg to Munich. These kinds of statistical analyses can also be carried out without personal association, which means they are not relevant for data protection.
What is more interesting, however, are analyses that do have a personal association, where the objective is to obtain certain information about specific individuals. These kinds of analyses are indeed pertinent in data protection. They quickly fall into the sphere of profiling, which is also explicitly named in the EU’s General Data Protection Regulation that entered force on 25 May 2018. Article 22 of that Regulation states: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” That also includes analyses aimed at creating certain forecasts regarding a person (e.g. behavior, interests, location), provided those forecasts produce a legal effect for the data subject as laid out in the Regulation or in some other way significantly compromise the data subject.
In general, these kinds of analyses can only be legitimized through consent issued by the data subject in a valid manner. Valid declarations of consent are those where the consenting party has understood the scope of data processing on which the consent is based. Additionally, consent can only be declared in a valid manner at the point in time of data collection. Consent is always related to an explicit purpose. The possibility of revocation at any time (with effect for the future) must likewise be given to the data subject. In order to obtain valid consent, the purpose and scope of the evaluation of personal data must be clear. The data subject must be informed such that they recognize the scope of the respective data processing.
It would be difficult to envision an analysis of personal data being legitimized based on the consideration of interests laid out in Art. 6 (1) (f) GDPR. When balancing interests, the interest of a company, which is always manifest in general, stands in contrast to a data subject’s interests, which merit protection. A balancing of interests will pan out in favor of the data subject if it was not possible to recognize the extent to which the analyses of personal data would affect their personal rights. Profiling generally encroaches a data subject’s personal rights to a significant extent. Depending on the type of analysis, however, consideration must be made for data protection on the individual level, as violation of legitimate interests varies based on data depth.

3. Customer communication

In general, the findings garnered from the aforecited steps are not used to address individual customers. To the contrary, this is about presenting certain offers to certain customer segments. Those segments can be defined based on analyses done beforehand. A CRM system should be structured such that customers can be selected according to segment. Then it becomes possible to use a CRM to communicate with the customers of a selected segment in line with the access rights in place.

Customer analytics in compliance with data protection establishes trust

It is indeed possible to carry out customer analytics in compliance with data protection requirements and develop insights for data-driven business models. When data protection principles are observed through the corresponding measures, a great deal of options open up for gaining insights into customer needs and generating additional value for one’s own business. On the one hand, it’s important to access anonymous data to the greatest extent possible. On the other hand, a customer should always be transparently informed of how their data is going to be processed. That means data protection can also result in customer retention by establishing a foundation of trust. And that, in turn, boosts a company’s image.

Read now!

The subject of customer data protection is playing a larger and larger role in the energy industry as well. Read about what an approach that is compliant with data protection can look like for models like smart metering and smart grids.

Read now!

Read more


With Q_PERIOR, you have a strong partner at your side.
We look forward to your challenge!