Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

GDPR Implications for Competitive Analysis Within and Beyond the EU

DZone's Guide to

GDPR Implications for Competitive Analysis Within and Beyond the EU

Here are some tips and advice for making sure your competitive data for analysis doesn't run afoul of GDPR regulators so you can stay compliant.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

The General Data Protection Regulation (GDPR) is one of the biggest changes in European technology regulation over the past century. It completely revamps the Data Protection Directive of 1995. While it provides many needed protections for customers throughout the European Union, it also creates new complications for brands with a presence in the region.

Some critics have condemned the new policies as overly draconian and unnecessary. They warn that they will discourage innovation and have a dampening effect on economic growth. On the other hand, the GDPR creates opportunities for organizations within and beyond the EU.

Brands with a presence in the EU need to reassess their policies. One of the areas that they need to overhaul is their approach to competitive analysis.

Here are some things to keep in mind.

Most Competitive Data Is Not Subject to the GDPR

The GDPR was developed with the intention of keeping customer data safe. Here is some context from the EU GDPR website:

“Any information related to a natural person, or ‘Data Subject,’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address… A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”

The text clearly emphasizes that the law is focused on safeguarding the privacy of personal data. What does this mean for companies that store data on their competitors?

Most of this data will not be covered under the scope of the GDPR since it does not pertain to a natural person. However, there are going to be some exceptions that you need to evaluate:

  • While collecting competitive information, you may discover that some of the information is anecdotal information about their specific customers. If this information can be used to identify the real customer, then that customer may insist that it gets removed from your database.
  • Companies that aggregate data from a competitor’s social media feeds or other online sources of data could run afoul of the law if personal data was transferred in the process.
  • Screenshots of competitor information may contain personally identifiable information.
  • Information on the leaders of the competing company may also be covered under the GDPR.

The third bullet point is a grey area that deserves a lot more discussion. Theoretically, any company could report competitors for violating the GDPR if they failed to delete information on their officers. This could be done solely to expose them to massive fines.

However, the public nature of the data could be used as an affirmative defense. The alleged offender could argue that the data came from multiple other public sources and that they were merely aggregating it.   

You will also need to play everything by the book before running any covert competitive analysis strategies. According to the CEO of Top 10 Spy Software, cell phone spy tools can be very effective for collecting information on competitors.

“You may not have the same affirmative defense under the GDPR and need to make sure any personally identifying data is omitted from your reports or deleted upon request. Take careful inventory of the data you collect with any tool,” he states.

Data from company review pages is probably also not covered, especially if it is aggregated. Customers put their information on these sites very publicly and usually have to agree, which is one of the benefits of using sites like Shifu. However, it may still be a good idea to anonymize the data if possible.

Understand the Consent Requirements When Collecting Personal Data Via Competitive Analysis

The GDPR has a very strict consent requirement that all companies must abide by. They cannot information without a consumer’s approval.

However, there is a lot of ambiguity when the company is not a primary collector of data. If you acquired data from another source, then consumers will need to have signed an agreement stating that they give permission for their data to be shared before you can access it. You could be sanctioned if you get data from a company that did not get this consent.

The policies can be even more complex when a customer rescinds their access to the data. Does this mean that they need to forward the request to you and other secondary data collectors? Or does the customer need to contact you and other intermediary data collectors directly?

You also need to make sure that the data cannot be easily recovered after consent has been rescinded. Make sure the data is overwritten multiple times so that it won’t be restored with a Linux disk recovery.

You will need to consult with a lawyer on these issues because a precedent has not been set on these topics. However, you are going to make sure that any competitive analysis tool that you use has a clear consent agreement that they are abiding by before they share data with you.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
gdpr ,analytics ,security ,personal data

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}