The statement ‘data is the new oil’ is common in online business because of a valid reason. All digital marketing techniques, product development and even customer support greatly rely on consumer data. Whether an SEO, PPC, SMM or any other campaign will succeed or not depends on the amount and accuracy of the data. However, this also raises privacy concerns as sometimes a website user does not even know what kind of data is being collected. How will the website use this data? When will the website delete the collected data? The data is not in the control of the user. For this reason, the European Union passed the General Data Protection Regulation to ensure digital data privacy.
What is GDPR
GDPR introduces a set of rules to protect the personal data of EU citizens. GDPR provides more control over data collected and stored by an organization. These regulations also simplify doing business. It is all about data, consent and privacy across the European Union. Any organization be it retailers, banks, social media companies and even governments have to ensure GDPR compliance.
GDPR Compliance
Data breach is not only a problem. It is a serious threat. The information should not land in the hands of anyone who has malicious intent. EU GDPR imposes some restrictions when it comes to collecting data. An organization collecting and storing data must do it legally. The business is responsible for the protection of data against misuse. A business violating GDPR regulations has to face penalties.
GDPR regulations are applied to all organizations within the EU and organizations outside of the EU selling products or services in the EU. Article 4 of the GDPR defines two types of data-handlers:
- Controllers
- Processors
Controllers Definition
“a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.”
Processors Definition
“Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Personal Data
To ensure GDPR compliance, a business needs to know what personal data is. The GDPR considers the following data under personal data:
- Name
- Address
- Photos
The definition also includes IP address. Biometric data and genetic data are sensitive personal data that can reveal the unique identity of an individual.
When did GDPR come into effect?
It took years to prepare, debate and pass General Data Protection Regulation. The European Parliament approved the General Data Protection Regulation in April 2016. The parliament published official texts and regulation of the directive in May 2016. GDPR (General Data Protection Regulation) came into effect for EU data protection on 25 May 2018.
GDPR Compliance and Business
Every single organisation doing business in the EU member states must comply with the General Data Protection Regulation. In addition to this, an organization that is outside of the member states but active in any of the member states must follow the General Data Protection Regulation. GDPR not only ensures EU data protection but also makes it easy to do business. The European Union now has a single authority supervising data protection. Running businesses in the EU is simpler and cheaper. According to the Commission, GDPR compliance can save €2.3 billion per year across the EU. GDPR compliance in the earliest stage of product development ensures that the design protects data. An organization can use ‘pseudonymization’ and other techniques to get the benefits of personal data collection and analysis.
GDPR and EU Citizens
Email address, passwords, phone numbers, confidential health records, SSN and other important pieces of personal data can be exposed on the web. Under GDPR data protection, EU citizens get the right to know when and how their data has been stolen. In case a data breach occurs, the organization must immediately report this to the appropriate national bodies so that they can take appropriate measures to prevent data misuse. The organization is legally bound to provide details when a user requests access to personal data and wants to know how the organization processes and uses personal data. Many organizations in the retail and marketing industries even ask their customers if their data can be stored in the database. Right to be forgotten is another important process that allows consumers to direct the organization to delete their data.
Organizations send emails to customers to ask if customers want to opt in to receive messages. However, these emails are also an opportunity for scammers and criminals. They can send phishing emails to trap unaware people. For example, a scammer can pose as an organization. Such emails mention GDPR and other EU policies. The purpose of these emails is to steal information such as account credentials, credit card information etc.
GDPR Breach Notification
When a data breach occurs, the breached organization must report it to the supervisory body. The organization is also required to inform the affected individuals. Any kind of breach that can result in the following must be reported:
- Discrimination
- Risk to the consumer’s rights and freedoms
- Reputational risk
- Confidentiality loss
- Financial loss
- Social or economic disadvantage
It is a legal obligation of the organization to inform the affected individual if any of the following information is breached:
- Name
- Address
- Contact details
- Date of birth
- Bank details
- Health records
- Any other personal data
It must also notify the regulatory authority within 72 hours when it becomes aware of the breach. The regulatory body takes appropriate steps to restrict exploitation of data. The organization delivers breach notification to the victim in person. The organization may also have to communicate on its website, social media and in press releases.
GDPR breach notification must include the following details of the breach:
- Categories of information compromised
- Number of individuals compromised
- Number of data records concerned
It is the responsibility of the organization to describe the potential consequences of the incidence. These consequences may include identity theft, loss of money and more. The organization must also provide the details of the measures it is taking to address the breach. It also needs to provide the main point of contact such as the data protection officer.
GDPR Fines
The consequences of not complying with the General Data Protection Regulation include GDPR fines of €10 millions or 2% of the annual global turnaround of the organization. GDPR data breach fines also depend on the seriousness and severity of the breach. In case it is a serious infringement, the maximum fine for a data breach is €20 or 4% of the annual global turnaround of the organization.
Less severe violations include:
- Not reporting a data breach
- Not building privacy by design
- Not applying data protection in the first stage of product development
- Not appointing a data protection officer
More severe violations include:
- Infringement of the consumer’s rights
- Transferring personal data internationally without authorization
- Ignoring access requests or not having a procedure to provide access to data
Data Protection Officer (DPO)
GDPR requires an organization to have a data protection officer. The officer oversees the data protection strategy implementation in the organization. The data protection officer is responsible to ensure GDPR compliance. Any organization that stores and processes customer data must appoint a data protection officer. A DPO has nothing to do with the size of the organization. It depends on the data the organization handles. GDPR does not define ‘large scale’ data handling. The following are the important factors governing bodies consider to determine if an organization needs a data protection officer or not:
- Data items
- Data subjects
- Geographic range of processing
- Data retention length
According to Article 37, appointing a data protection officer is mandatory for an organization collecting and processing consumer’s data. Article 39 outlines the following responsibilities of a data protection officer:
- Educates the organization and employees on GDPR compliance
- Trains on data processing
- Conducts GDPR compliance audits
- Proactively addresses potential GDPR compliance issues
- Serves the purpose of the point of communication between the supervisory body and the organization
- Provides advice for data protection
- Monitors performance
- Records data protection activities
- Informs customers on how the organization uses their data
- Informs customers of their rights
- Tells how the organization protects customers’ data.
When it comes to qualifications for data protection officer, GDPR does not specify any credentials. According to Article 37, the officer must have expertise in data protection practices and laws. The officer must not have any other responsibilities that may conflict with the responsibilities outlined by Article 37.
Any organization active in the EU must ensure GDPR compliance. It is important to hire a data protection officer expert in data protection practices and laws.