Publications

How to combine GDPR and personal data valuation?

Publié le 14 March 2023

Data valuation is a concept that aims to give a financial value to the data that a company has in order to consider them as real assets. The value of data is calculated according to a multitude of factors which can go from the data as such to the way it can be used. For example, an email address that can be used for commercial prospecting will have a potentially higher value than data relating to a person’s health but whose use is extremely restricted, for example, when the subject has not given their consent.

This notion of re-use is central to the marriage between the General Data Protection Regulation (GDPR) and valuation. Indeed, and according to the letter of the Regulation, each processing of personal data must have a legal basis (Article 6 of GDPR). Therefore, the actions resulting from the valuation of the data such as sale, use, etc. must be legally justified. Thus, if the consent of the data subject has not been collected beforehand, it will be impossible to sell them, so the valuation will be very low.

We therefore realize that the valuation of personal data is not absolute and that the actors must follow a strict framework. This framework can be a hindrance for companies that use valuation as a business tool or for companies looking to raise funds.

1. What are the best practices to implement to ensure the value of personal data available to us?

As previously mentioned, it is important, in order to evaluate the value of a data, to determine if it can be reused and in what context.

In this respect, it is advisable to consider two cases, the first one being where you wish to value an existing database, and the second one where you wish to value a database to be built.

1) The existing database

In order to determine the value of your data, you need to make sure that you are able, in accordance with GDPR, to reuse this data for further purposes. Thus, your CRM must be able to allow you to trace the origin of the data and whether consent has been given. If so, you must be able to identify the scope of the consent: does it concern the sending of a newsletter? Sharing data with partners?

If you have not obtained the prior consent of the data subjects for the subsequent purposes, you are able to carry out a processing compatibility analysis in accordance with Article 6(4) of GDPR or to carry out a consent collection campaign by e-mail. If you wish to explore these possibilities, feel free to contact us.

2) The database to be built

If your database has not yet been set up, this is the perfect time to ensure that your entire database is compliant with the GDPR and thus maximize its value.

Collection of specific consent, information to the concerned persons according to the Article 13 of GDPR, respect of the principle of minimization, capacity to trace the given consent in case of request of a control authority or a future partner, it is so many subject which it will be necessary to take into account in order to have a completely reusable database.

DPO Consulting is committed to making data protection accessible to all. This accessibility is accompanied by a personalized follow-up for each of your activities, including the analysis of the compliance of your database through audit sessions.

2. Focus on international data valuation: Big Tech put at risk by GDPR

Some Big Tech companies have made it their core business to exploit the personal data they have. Indeed, if we take the example of Google or Facebook, when we use their services, they collect massive data on users, beyond those that can be indicated when creating a profile or an account. From the moment the user browses the application, every movement and every search will be scrupulously stored by these digital giants. All of this information, which is obviously personal data, is then valued in that an analysis will be made of the quality of the data and a price will be charged.

Companies wishing to advertise will then contact Facebook or Google in order to appear on the news feed of people meeting a certain number of criteria. The pricing will then take into account the valuation that the seller has made of these data.

However, this economic model is currently facing a legal problem. Indeed, according to Article 44 et seq. of GDPR, when personal data of persons located in the EEA are transferred outside the EEA, additional safeguards must be put in place. Initially, the European Commission’s standard contractual clauses were the most widely used method for securing such transfers to the United States since the invalidation of the Privacy Shield by the Schrems II ruling.

The Schrems II ruling emphasized that beyond the guarantees specified in GDPR, additional security measures must be put in place, in particular to deal with countries whose legislation allows for their interference.

However, the standard contractual clauses are drafted, in their new and old versions, to ensure the security of processing. The question therefore arises as to the legal reliability of the use of these clauses.

The question is even more important since the recent cases concerning Google Analytics. Following complaints from the NOYB association, the Austrian data protection authority, the EDPB and the CNIL took the position that data transfers to Google Analytics were illegal. Thus, the guarantees put in place would not be sufficient and would not ensure the confidentiality of data in the face of American surveillance programs despite the signing of standard contractual clauses and additional guarantees.

As such, we can see that the use of data by American companies on the one hand, but also by companies that benefit from American services (Google Analytics), is likely to be blocked by the requirements of GDPR and the jurisprudence that follows from it.

If you wish to use your personal data in compliance with GDPR, we are ready to assistyou in order to provide you with recommendations adapted to your activities.

3. What about the valuation of health data?

The development of health data is a real challenge for health care actors. Indeed, hospitals, clinics, radiology centers, etc. each have a patient database containing health data. A utopian situation would allow each practitioner to have access to a generalized data bank without constraints in order to accelerate the growth of medicine and to carry out technological feats quickly. However, the requirements for handling sensitive data are even higher and the value of the data is only reduced.

Health care actors must ensure that they have obtained the consent of the person concerned, data must be stored securely and pseudonymized, access authorizations must be restricted, etc. This list of measures to be implemented is obviously not exhaustive, but it demonstrates that the processing of health data, despite its obvious richness, is extremely complex, and even more so for health professionals who do not have expertise in data protection.

In particular, the CNIL has put in place reference methodologies to enable health care actors to benefit from the data already collected. Indeed, for example, MR 004, resulting from deliberation 2018-155 of May 3, 2018 allows this reuse for research not involving the human person.

This possibility nevertheless meets a certain number of requirements. First of all, the data subjects must be informed beforehand of the treatment that will be made of their data and must have been put in a position to oppose the transmission of the data to the sponsor of the study. This information can be provided by means of a general notice posted in the center where the patient is being treated and by handing out a form on an individual basis. It can also be envisaged that a list of the clinical studies in which the center is participating appears on the website.

Next, security requirements must be put in place, in particular the sponsors of the study must only have access to pseudonymized data. The data received must also meet the principle of data minimization, so it is not possible for the sponsor to collect massive amounts of data.

To have the complete list of requirements in this matter, we invite you to consult directly the CNILwebsite.

In any case, if you wish to have additional information or if you wish to benefit from the valuation of health data, we can assist you.

To conclude, we note that the use of data is the challenge of today and tomorrow. This valuation must meet a certain number of requirements that require a real expertise as the applicable legislation is currently changing. We are not immune, in the coming months, or even weeks, to learn of new decisions in this area. We will not fail to keep you informed

– Alexis Dessaints