There is a growing trend for organisations to invest in technology that incorporates data analytics. Data analytics is a useful tool which can help organisations understand how effective their processes, products and systems are. It can also be used to gather information about patterns of staff and customer behaviour and, as a result, may process personal data. It may be tempting to deploy these technologies into your organisation, but firstly, it’s important to carefully consider the data protection risks and privacy impact on individuals which may arise as a result of using data analytics.
What is Data Analytics?
The Information Commissioner’s Office (“ICO”) defines data analytics as “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications, or risk scores.” This technology is commonly utilised by organisations to provide information about their people such as: engagement, retention of staff, students/pupils, training and training requirements, opportunities, attendance, participation, health, productivity, and overall wellbeing.
An example of how these technologies work in the education sector is where analytics tools are used to track information such as how often students log on to the School and University systems, access content, reading lists, submit work, borrow books, log on to University computers, print, scan and photocopy documents, and attend classes. Similar technologies can be used in other workplace settings to analyse and monitor employee engagement and performance, for example, via staff wellbeing and training platforms.
This technology relies upon algorithms to recognise and record behaviours which assist organisations to reach conclusions relating to risk, efficiency and productivity.
What are the benefits of using data analytics?
There are a variety of possible benefits to using data analytics technology. These include:
- Allowing organisations to use technology to identify risk patterns earlier and create effective solutions and strategies to manage them.
- Assessing how individuals (i.e. customers, students and employees) interact with products, services and systems and assess whether you are investing in the right areas.
For employers, identifying strengths, support needs and potential training opportunities for people in order to offer tailored training and development and improve efficiencies within the workforce.
- Gaining insight into the productivity levels of individuals and procedures within your organisation and identifying areas for process improvement.
- Creating opportunity to increase efficiency within an organisation by using technology to monitor and discover patterns within datasets.
What are the risks of using data analytics?
While the benefits of this technology may be appealing, there are various risks associated with the use of data analytics. For instance:
- Using data analytics technologies may be viewed as invasive and impeding people’s privacy rights. For employers, this may lead to staff complaints, higher staff turnover and low morale if individuals feel they are being unfairly monitored.
- The decision making processes and logic used by the analytics software can be complicated. If your organisation does not fully understand the analytics process, it’s difficult to tell people how their personal data is being used to comply with the transparency principle of GDPR.
- The technology is not perfect and output should be treated as a statistically informed guess, rather than fact. There may be inherent biases built in to the software, which produce unbalanced results and data inaccuracies, contravening the data accuracy principle of GDPR.
- Not all tools on the market are created with consideration of data protection obligations. Many tools gather an unspecified amount of personal data. If these tools do not come with controls that can be adjusted by the organisation, an organisation may collect unnecessary data and be in breach of the data minimisation principle of GDPR.
- This is still a relatively new and innovative area of tech. The consequences of using data analytics in a manner that could cause harm to individuals, whether intentional or unintentional, could be significant and result in complaints to the ICO, investigation by the supervisor and reputational damage for your organisation.
What steps your organisation should take before implementing technology
If organisations choose to implement data analytics technologies after reviewing the risks and benefits, there are certain steps organisations must take to comply with their data protection obligations. This includes:
- A Data Protection Impact Assessment must be completed to ensure that risks to personal data by the use of data analytics are documented and reduced, where possible. A DPIA will also help your organisation to assess how it will comply with the principles of data protection law and to identify and document a lawful basis for processing. Complete this exercise with the support of your data protection officer.
- Many of these tools are capable of processing vast amounts of information about people. Choose a tool that has appropriate controls in place to limit processing to comply with the data minimisation principle of GDPR.
- Update privacy notices to make these clearly reflect how personal data will be processed using data analytics technology.
- Carry out a security assessment of the software to ensure that appropriate technical and security controls are in place to protect personal data.
- Consider how you will assess the accuracy of the data and prevent bias, which could have discriminatory effects on individuals.
- Data Processing Agreements must be put in place between organisations and third party data analytics providers.
- A retention period must be defined for personal data collected through this technology to comply with the storage limitation principles of GDPR.
Personal data processed via analytical tools will fall within the scope of data subject requests, for example subject access requests. Organisations should recognise that complex technology can make it more difficult to process data subject requests, however, this does not affect your responsibility to comply.