How to combine GDPR and personal data valorization

Publié le 18 July 2022

The concept of data valorization aims to give a financial value to the data that a company have and start considering these as real assets. The value of a data is calculated according to a multitude of factors which can go from the data as such to the way it can be used. For example, an e-mail address that can be used for commercial prospecting will have a potentially higher value than data relating to a person’s health but which use is extremely restrictive if the person did not give their consent.

The reuse of data is a key point in the marriage between the General data Protection Regulation (GDPR) and the valorization. According to the regulation, each processing of personal data must have a legal basis (article 6 of the GDPR). Therefore, the actions resulting from the valorization of the data such as sale, use, etc. must be legally justified. If the consent of the data subject has not been collected beforehand the valorization would be very low since it will be impossible to sell it.

The valorization of personal data is not absolute, and the actors must comply with a strict framework. This framework can be a hindrance for companies that use valorization as a business tool or for companies looking to raise funds.

1. What are the best practices to implement to ensure the valorization of a company’s personal data?

In order to evaluate the value of the data, it is important to determine if it can be reused and how.

To this end, it is advisable to consider two cases, the first one being the one where you want to determine the valorization of an existing database, and the second one where you want to do it for a database that has yet to be built.

1) The existing database

To determine the value of your data, you need to make sure that you are able, in accordance with the GDPR, to reuse the data for further purposes. Thus, your CRM must be able to trace the origin of the data and if a consent has been collected. If so, you must be able to identify the scope of the consent: does it concern the sending of a newsletter? The sharing of data with partners?

If you have not obtained the prior consent of the data subjects for the secondary purposes, you are still able to perform a processing compatibility analysis in accordance with the Article 6(4) of the GDPR or to carry out a consent collection campaign by e-mail. If you wish to explore these possibilities, you can contact us.

2) The database to be built

If your database is not yet set up, this is the perfect opportunity to make it GDPR compliant and maximize its value.

Several topics needs to be implemented to build a fully reusable database:

  • Collecting a specific consent,
  • Informing data subjects in accordance with the Article 13 of the GDPR,
  • Respecting the principle of minimization,
  • Being able to trace the consent given and to prove it to the supervisory authority in the event of a control or to a partner to conclude a contract.

DPO Consulting is committed to making data protection accessible to all. This accessibility is accompanied by a personalized follow-up for each of your activities, including the analysis of the compliance of your database through audit sessions.

2. Focus on international data valorization: GAFAM being put at risk by the GDPR

Some GAFAM have made it their core business to exploit the personal data they have. Indeed, if we take the example of Google or Facebook, when we use their services, they collect massive data on users, beyond those that can be registered when creating a profile or an account. From the moment the user browses the application, every movement and every search will be scrupulously stored by these companies. All these personal data are then valorized by analyzing the quality of the data and its price.

Companies wishing to advertise will then contact Facebook or Google to appear on the news feed of people meeting a certain number of criteria. The pricing will then take into account the value that the seller of this data has made.

However, this business model is currently facing a legal problem. According to Article 44 and following of the GDPR. When personal data of individuals located in the EEA are transferred outside the EEA, additional safeguards must be put in place. Initially, the European Commission’s standard contractual clauses were the most used method to guarantee such transfers to the United States since the invalidation of the Privacy Shield by the Schrems II decision.

This same decision highlighted that beyond the guarantees specified in the GDPR, additional security measures must be put in place, in particular to deal with the legislation of some States allowing their interference.

The standard contractual clauses are drafted, in both their new and old versions, to ensure the security of the processing. The question could be asked regarding the legal reliability of the use of these clauses.

The question is even more important since the recent cases on Google Analytics. Following complaints from the NOYB association, the Austrian supervisory authority, the EDPB and the French supervisory authority considered that data transfers to Google Analytics were illegal. The guarantees in place would not be sufficient and would not ensure the confidentiality of the personal data in front of the American surveillance programs in spite of the signature of standard contractual clauses and additional guarantees.

Thus, we can see that the valorization of data by American companies on one hand but also companies that benefic from American services (Google Analytics) on the other is likely to be blocked by the requirements of the GDPR and the resulting law case.

If you want to make the most of your personal data in compliance with the GDPR, we are ready to support you by providing you with recommendations adapted to your activities.

3. What about the valorization of health data?

The valorization of health data is a real challenge for healthcare professionals. Hospitals, clinics, radiology centers, etc. each have a patient database containing health data. The utopia would like each practitioner to have access to a generalized data bank without constraints to accelerate the growth of medicine and to carry out technological feats quickly. However, the requirements for handling sensitive data are even greater and makes the value of the data potentially lower.

Health actors must ensure that they have obtained the consent of the data subject, the data must be stored securely and pseudonymized, access authorizations must be restricted, etc. This list of measures to be implemented is obviously not exhaustive, but it highlights that the processing of health data, despite its obvious richness, is extremely complex. This is even more true for health professional who do not have the expertise in personal data protection.

In particular, the French supervisory authority has set up “reference methodologies” (“MR”) to allow health actors to benefit from data already collected. For example, the MR 004, resulting from deliberation n°2018-155 of May 3rd 2018 allows this reuse for research not involving the human person.

This possibility meets a certain number of requirements. First of all, the data subject must be informed in advance of the processing of their personal data and must be given the opportunity to object to the transmission of the data to the sponsor of a clinical study. This information can be provided by means of a general notice posted in the site where the patient is being treated and by handing out a form on an individual basis. It may also be possible to post a list of the clinical studies in which the site is participating on the website.

Also, security requirements must be in place, including the fact that clinical study sponsors must only have access to pseudonymized personal data. The data received must also meet the principle of minimization. It is not possible for the sponsor to collect massive amounts of data.

For a complete list of requirements in this area, you can consult the website of the French supervisory authority.

In any case, if you wish to have additional information or if you want to benefit from the valorization of health data, we can support you.

To conclude, we note that the valorization of data is today and tomorrow’s challenge. This valorization must meet a certain number of requirements that need a real expertise since the applicable legal framework is constantly changing. It might be possible that in the coming months or weeks a new decision from a supervisory authority or a court appears in this area. We will not fail to keep you informed.


Alexis Dessaints