Note: Most of these blogs are for my personal reference and at a given time, some of those might just be unpolished drafts.


GDPR (General Data Protection Regulation) is a regulation to ensure that the companies working in the European Union region in e-commerce domain comply with a set of rules in order to safeguards customer’s data and their privacy. It also requires them to completely wipe off user’s data when requested by the user. So, basically this is an attempt at empowering general user and giving them ownership of their own data. In the light of recent incidents such as Cambridge Analytica Scandal involving Facebook, enforcement of GDPR (enforceable from 25 May 2018) has been received with very much enthusiasm and anticipation.

The entire text of GDPR can be read here. This law enforcement plays a particularly significant role in the area of machine learning and data analytics. This touches the moral, ethical and legal side of the whole operation. Today most of the companies rely heavily on customer’s data and it’s analytics to optimize their own business. Without universal active regulation into picture today’s scenario is quite chaotic if we think. There are companies collecting a lot of our personal data and most of the times we don’t know the reason why. There are social media companies like Facebook, twitter, Instagram which are profiling their customer day in and day out so that they can be better targeted by advertisers earning them a whole chunk of revenue in the process. Data protection and privacy are of very high concerns. Enforcement of this act in EU region is going to force any companies operating under that region or doing business in that region which involves collecting some sort of customer information to abide by a set of unified principals.

Once implemented GDPR is going to be the most strict data privacy law in the world with an aim to safeguard user’s basic right about their own data. In GDPR terminology, we have Data controllers (who determine what happens with personal data), Data processor ( who works on data for controller: this could be analytics companies, softwares, tools, etc). Any company failing to comply with these GDPR regulations is subject to fine (as much as 4% of annual turn over).

The requirements in order to comply with GDPR can be highly summarized as:

  • User’s consent on data: When asking for data or permission to use terms and conditions, privacy policies must be easy to read, should be unambiguous and shouldn’t be confusing. Revoking consent should be as easy as granting.
  • In case of any breach, data owner (i.e. customer) should get notified within a timespan of 72 hours.
  • Customers should be able to get an electronic copy of their data if they want it. They are also entitled to know about the usage.
  • Customers own the right to be forgotten and in that case data controller should completely wipe off the data.
  • Customer’s data gathered should be portable. (Eg; Customers might want to use the same data in different environment or purpose all-together)
  • While designing any system, UI or software privacy should be incorporated as a basic element of design.

What does it mean for other markets and regions?

GDPR is going to be in effect only in the European Region and the business operating in that area. This implies that European users and customers are more aware and worried about data security and privacy. But what about the rest of the world? When is the whole world going to adopt some sort of privacy regulation like GDPR? In order to reach to that position hopefully this is going to prove as a cornerstone and is going to raise a wave of awareness among users about data security and privacy. This should also raise an awareness in the society of ML practitioners about the legal and ethical implications of our projects and works.

Written on May 29, 2018