Data seems to be a topic of discussion anywhere and everywhere, as it should be since we’ve seen the ramifications of “giving” businesses the right to take and store our data. Businesses might sell off your data or hackers steal it, either way, your information is leaving the grasps of many companies you originally gave it to, with or without your knowledge.
To combat data privacy invasions and give you better protection online, governments are looking into how to better regulate the acquiring and use of consumer’s personal data.
Personal data is data that identifies you so your name, email, social, etc. Companies collect other types of data that are anatomized and not associated with you specifically.
On April 14, 2016 the EU Parliament approved the General Data Protection Regulation (GDPR) which goes into effect this May 25, 2018. For those of us in the US, we are unfortunately a ways out from better data protection but the EU has spent several years looking into how to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy” (GDPR Overview).
As a consumer and as a business it is important to understand how these regulations will affect you. For those who do not live or operate in the EU, it can still be worth understanding what other countries and regions are doing to fix the big data problem.
Let’s start with some terminology so we know what we’re talking about:
Data Subject: Contact of the company, can be consumer or partner.
Controller: The company collecting the data.
Processor: The entity that processes the data subject’s data. (Companies like HubSpot, Marketo, or Pardot)
Now onto the key changes that affect either or both consumers and organizations.
Increased Territorial Scope
This is an important one! This change expands the regulatory landscape of data privacy. All companies that process data from data subjects in the EU must comply with the GPDR (this can be a US, UK, Australian, Indian, Chinese, etc. based company that is processing data on any EU citizen).
If your company breaches GDPR you are subject to some hefty fines. The maximum fine is 4% of annual global turnover or €20 million (whichever is greater). Some things you can be penalized for:
- Not having sufficient customer consent to process data
- Violating the core of Privacy by Design concepts
- Not having records in order
- Not notifying the supervising authority and data subject about a breach
- Not conducting impact assessment
Consent With Notice
For personal data to be obtained, processed, and stored, the controller must get consent from the data subject. Consent can come in a number of ways:
- The data subject opts in
- Performance of a contract (e.g. send a bill to a customer)
- Legitimate Interest (e.g. send information regarding a product the customer already owns)
Notice, this is consent with notice which means the data subject must also be explicitly told the purpose of collecting the personal data and how it will be used.
It must be as easy to withdraw consent as it is to give it.
Right to Access and Right to be Forgotten
Data subjects have the right to access their personal data used by the controller. A customer must be able to obtain the data that is being processed, where, and for what purpose in an electronic format free of charge.
Data subjects also have the right to be forgotten. A customer can request to have his/her personal data erased from the controller’s database and cease any further processing of data by the controller or processor.
Privacy by Design
This change in the regulation requires the controller to design their system to include data protection from the start instead of it being added at a later date. It also clarifies that companies can hold and process only the data that is necessary to complete its duties.
Data Protection Officers (DPO)
The previous process to report data breaches is getting an overhaul. The DPO is required for controllers and processors whose core activities consist of regularly and systematically monitoring data subjects on a large scale, store data of a special category, or stores data relating to criminal convictions and offences.
The DPO is hired by the company (controller or processor) either internally or through an external service provider and must be given the means to properly perform their duties and tasks.
To learn more about GDPR, check out these site:
What do you think? Should the US look to implement a similar regulation or do you have another suggestion to help protect consumer’s personal data?
Featured image from RW Connect