The General Data Protection Regulation (GDPR) is applicable since 25 May 2018 and is a game changer in the field of data protection. Data-driven emerging business models, in particular SMEs and start-ups, do not necessarily have the resources to fully understand the implications of the change of practices the GDPR requires. The Data Pitch team has been conducting research in this field with a view to assess whether the GDPR is effectively able to both ensure a high level of data protection and offer an appropriate framework to support innovation. In a recent paper the team argues that the GDPR could indeed do both. This would require adopting a dynamic and risk-based approach to data protection law.

By adopting a dynamic approach to data protection law, the team shows that it remains possible, whatever the type of data analytics practice at stake, to apply key data protection principles, such as purpose limitation and data minimisation, and adequately frame plans for future processing activities to ensure data protection compliance. A dynamic approach implies acknowledging the interdependence of data protection requirements and the differential impact of legal bases upon data protection principles such as purpose limitation and data minimisation.

Ultimately, reconciling data analytics with data protection requires a strong commitment to purpose preservation over time. For that reason, the team argues that the key to unlocking the enabling functionalities of the GDPR edifice is the setting up of robust data governance structures, i.e. the effective arrangements of processes governing the way data is dealt within and between entities and their monitoring. Three fundamental principles should be at the core of any data governance structure: purpose specification preservation, dynamic protection adaptation, and data quality assurance.