Has GDPR ignored the elephant in the database?

‘Personal data’ is defined in GDPR as ‘any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person’.

So each of us can be seen as ‘bristling’ with multiple potential identifiers, any or all of which may be stored by organisations using our personal data. And to add another layer of complexity, most of the commonly used identifiers, like email addresses or mobile phone numbers, may change on a regular basis.

All of us, as data subjects, can ask any organisation holding their data,for their personal data to be deleted, or transferred, or not to be used for marketing communications, or for profiling, or sold to anyone else etc. etc.

We may also change our minds about how our data can be used, and most probably forget what we have requested in the first place, because it’s not at all important to us.

So,for example,using our name and address as our ID, we request that organisation X does not profile our data, whilst using our email we ask to have our data deleted, and via our mobile phone number then expect to have our recent order traced.

GDPR tacitly assumes that persons about whom personal data is held can each be recognised uniquely, across all the identifiers they care to use, and as they change identifiers over time; and that from this basis rational interpretations can be made of their instructions.

This is evidently a delusion.

As vendors of a technology to build single customer views we know how difficult the identity problem is. The normal ‘shrinkage’ when we deduplicate a customer base across just say a couple of identifiers is around 20-25%; the more the types of identifier the greater the chance of duplicate records.

The technology we have developed to try to solve the problem is called UniFida, and it approaches the question of personal identifiers in a rather different way. It assumes, correctly, that all our common identifiers like email addresses, mobile numbers, cookie IDs etc. will change over time, and that individuals may have multiple versions of them.

So, it stores a history, for each individual, of all the identifiers it has been able to link. When an identifier arrives at UniFida as part of an on-line or off-line data feed, it searches the entire library of identifiers to see if it can get a match. In this way, it brings as much information about an individual together as is possible.

To find out a little more about Unifida please just click UniFida. It may make complying with GDPR a little bit more possible.