Privacy: Play it Safe

28 February 2018

Article written by Jeanine Schoonemann, Principal Consultant

The enforcement of GDPR is imminent! As an analyst, you are bound to be wondering whether you’re ready. And, even more important, how it his is going to affect all those great models you are already running.

In this article we are going to tell you more about how you can make sure you (and your models) can strive to be GDPR-proof. With reference to a practical example, we are going to explain step-by-step what is important and what you need to think about. Of course, the GDPR also has many other aspects that we won’t be discussing in this article.

The example: our analyst, Simon, developed a churn model a year ago. That model has been in use for marketing campaigns ever since. The offering to each customer varies depending on their churn probability and customer value. And it bore fruit: the campaign sharply reduced the number of churners. But Simon is getting a bit nervous now the GDPR is about to be enforced. Can this model still be used?


Processing data

The first step in answering this question is to determine whether any personal data is going to be processed. That’s an easy one in this case. A model is made based on customer data, so the answer here is always yes.


Legality, transparency and fairness

The next step is the legality, transparency and fairness principle, which means:

  1. There is permission from the customer;
  2. There is a customer relationship / contract;
  3. There is a justified interest.

Whether or not a customer has given permission for his or her data to be processed, and whether such permission was asked for in a transparent way, is not something that Simon knows. But he can still follow up on anything he doesn’t know himself, of course. As an analyst working for his employer, Simon’s role is to process data rather than be responsible for it. But that doesn’t necessarily mean he doesn’t carry responsibility within the GDPR framework. Therefore he asks his manager to look into it for him. This is important, not only for all the other analysts but also actually for the entire company!

Since in this instance we’re talking about a churn model, we are only looking at active customers and we know for sure that there definitely is a customer relationship. So that’s another tick in the box: Simon, you’re on a roll!

The final bit to consider is that it has a justified interest. This means we balance the interests of privacy against the interests of marketing (in this case). The churn model helps with customer retention, making the right propositions and therefore supports the continued existence of the organisation and its commercial and other objectives. This sounds like a pretty decent justification of why it is in its interest to make this model.


Privacy Impact Assessment (PIA) / Data Protection Impact Assessment (DPIA)

In his model, Simon scores/evaluates people based on data, and automated decisions are made on that basis, therefore Article 35 of the GDPR dictates that a PIA/DPIA is compulsory in this case. As you might suspect from the name, this involves a series of questions you must answer to help identify any privacy risks. And which designates accountability for the decisions made. In addition, it must also ensure that privacy protection is explicitly integrated into the design (in this case, of a model and campaign). It probably isn’t Simon’s responsibility to do this, considering he is first and foremost an analyst. However, as is already the case, Simon still does have to take responsibility for seeing that privacy is properly addressed. So that’s another good question to put to his manager.



So now it’s time for the data, as that has to be properly organised too, of course. For the GDPR, it is important that it is limited to a purpose. And that this is recorded in a processing register within the organisation. This register records what types of processing are being carried out, what data it affects, what risks are associated with it and what risk management measures are being taken. This is also where the organisation records what purpose(s) the processing is for and thinks about at data minimisation and retention periods.

Simon is in luck: his DPO (Data Protection Officer) has done a great job and Simon’s model has already been neatly and properly entered in the register. This gives Simon immediate confirmation that the internal data he wants to use is OK for him to process too. If he wasn’t entirely sure about this, he certainly should check to find out.

But in addition to the internal data, Simon also uses some external data as input for his model. Is that still allowed? The answer is yes. But watch out, when using such data, your organisation must be sure that this external data has been collected in a GDPR-approved way. Simon doesn’t know anything about this, so there’s another good question for his manager.



Simon is right on track! But there is one thing that makes him far more nervous than any of the previous points. He has heard that a model can only continue to be used now if you know precisely which variables have led to a customer having a particular churn probability. If it was a linear regression or decision tree, then he would know. But Simon is using a boosted tree.

An example of a risk associated with this is that you are unable to tell customers exactly why they have been sent a particular offer. Fortunately it transpires that the risks have been properly tested, itemised and addressed in the PIA/DPIA and the processing has been recorded in the processing register. Doing this has also provided the maximum transparency on the algorithm used and what data has been used for it. If there are any customers that still don’t want this, they can always invoke their right to request human intervention.

On the matter of transparency in situations of “automated decision-making”, please refer to the Article 29 Working Party guidelines on Profiling, which have now been finalised!



Simon breathes a sigh of relief as the GDPR isn’t so bad after all. His model can simply keep on running! Of course, it is a good thing to step back and reflect on your customers’ privacy. Most of all, the GDPR is making it a stricter and more conscious process whereby taking privacy into consideration is a matter of course.


Read more

If you want to read more on the above mentioned GDPR articles, you can also read the publications and guidelines of ‘The article 29 working party’. The Article 29 Working Party (Art. 29 WP) is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.



The GDPR is a new piece of legislation and, as is often the case with legal matters, the devil is in the detail. If you want to make sure your model or processing methods comply with the GDPR guidelines and conditions, you should agree this with the responsible person at your organisation.


Do you want to know more about this subject? Please contact Jeanine Schoonemann using the details below

Jeanine Schoonemann, Principal Consultant

+31 6 55 89 75 12

Latest news

DDMA Customer Data Award Night on November 19th, 2020

29 April 2020

About the Award The field of data driven marketing is evolving fast. To honor these developments,... read more

Successful first match from the Match Exchange! “Who cares” helps the Eemstadboerderij City Farm

19 November 2018

With the “Who cares?” programme, Cmotions strives to make a positive contribution towards a better society.... read more

Newsletters and the Privacy Law: how you can become GDPR-proof

21 March 2018

“Do we actually need to do something about our newsletter, now the GDPR is here?” GDPR... read more

Subscribe to our newsletter

Never miss anything in the field of advanced analytics, data science and its application within organizations!