GDPR is an obligation and not a choice

The EU has maintained a strong record in protecting the individual’s privacy through the lawful processing of their personal data under the General Data Protection Regulation (GDPR).

This fundamental right is enshrined in many EU human rights legislation, and now, after great endeavours, this right is enforced across Europe under the General Data Protection Regulation (GDPR).

As per Article 99 of the General Data Protection Regulation (GDPR), it is “mandatory in all its elements and directly applicable in each Member State”.

The European Data Protection Directive of 1995, received overwhelming support in 2014 by the European Parliament. This has been tweaked and fine-tuned under the General Data Protection Regulation (GDPR) to impose and establish a wide range of rights for individuals, including the following:

Improved data portability

Allowing individuals to practice the right of accessing “my data,” i.e. personal data held by organisations such as businesses and consumer groups.

In particular, this information can be used to compare the various money-saving websites to provide clear information to assist in decision-making processes about comparing such consumables as:

  • Bank accounts
  • Credit cards
  • Credit reports
  • Utility suppliers
  • Mobile phones

The regulation establishes that individuals can enjoy the right to receive the requested personal data in a structured format and with the ability to transmit this data to another data controller.

Extra protection on profiling and automated decision making

An impartial and independent body known as “Article 29 Working Party” has been working alongside the European Commission since 1995, providing and publishing opinions and guidance throughout the journey.  Their advice and guidelines on automated decision making and profiling of individuals are strict due to the genuine need to safeguard the rights and freedoms of individuals.

Organisations will use profiling data to predict online behaviour; generally within the context of marketing purposes, for example, email marketing campaigns use profiling with the view to assist with the targeting of goods and services.  The purpose is to predict an individual’s’ online behaviour and make “automated decisions” regarding this behaviour which lead to the second issue of automated decision making.

The Article 29 Working Party advice on automated decision making is clear, while it recognises the benefits of these activities, it also points out that significant risks may arise for the rights and freedoms of individuals. This law stipulates that individuals “have the right not to be the subject of a decision based solely on profiling or automated methods” when this is based on direct marketing.

General Data Protection Regulation (GDPR) will lead to an interesting journey in this respect to witness the reactions of big data-driven organisations and popular social networking organisations when it becomes the norm for individuals objecting at every turn to the processing of their personal data, including the creation of profiles to the extent that it is related to unwanted marketing.

Privacy by design

Rather like new housing development that has to include, in the initial planning stages, essential features that enable it to be environmentally and eco-friendly.  Similarly, any new technological development must take into account protecting the personal data of the individual user.

Also known as “privacy by design”, this new concept provides data security guarantee from the beginning of any new technology development or design. For example, an application or program, an app, development of electronic commerce, the internet of things, anything where personal data will be processed. Developers of applications, products or services are required to have specialized knowledge in the privacy and data protection field from the design, development and launch phases.

GDPR obligation acts

One positive aspect of privacy by design is that it acts as a safeguard from the outset regarding any new development.  It is a proactive measure and seeks protection throughout the life cycle of the product or service.

Proactive design and development will eventually lead to improved organisations, that build software with the data protection obligation in mind because it is easier to plan and develop from the starting point based on a clear legal framework. This will facilitate peace of mind when engaging in business to business activity, eliminating the worry of not complying with the General Data Protection Regulation (GDPR)

What is privacy by design?

This includes offering the maximum privacy guarantees by default in the design of applications, general products or services that deal with personal data. If there are several privacy settings, they have to be marked accurately by default, because that offers greater guarantees of privacy as required by the individual.

The default privacy also implies:

  • The minimizing of data, that is, the minimum possible data to be collected to ensure that the product or service can fulfil its purpose.
  • The control of access can be given to only personnel that require access to the data in order for them to perform their roles and that this data will not be transferred to third parties. It is not mandatory or is not explicitly informed and consented to by the interested party. For this, techniques of pseudonymization can be applied (pseudonymization encrypts the data as a security measure to ensure data can become anonymous).
  • The data storage periods must be made fully transparent to users and personnel and be limited to what is strictly necessary with any extension of storage to be minimized to recommended legal storage periods.
  • Transparency is integral and requires informing the user about the processing of their data with clear, concise and understandable information.

A practical example is found in many gaming apps where, personal information is requested, like permission to access phone contacts, camera images, SMS and phone calls. Whereas, access to all of these is unnecessary to play the game.

GDPR social networking and the right to be forgotten

Privacy is a fundamental right and must be preserved with a degree of firmness.

Mark Zuckerberg recently announced that his organisation, Facebook, will not be implementing the same level of General Data Protection Regulation (GDPR) protection in the US, but would tweak GDPR obligation for European users. It will be seen that the US users will lack in protection, but one of the most apparent rights that Facebook might wish to play down is the right to erasure, or the right to be forgotten. The scandal about the unauthorised and unwarranted utilisation of the personal data of 50 million Facebook users has put the dominant tech-company in a complicated situation that may actually damage its already vulnerable reputation due to its role in the circulation of fake news.

Ensuring the privacy and protection of user information is an unavoidable GDPR obligation for all organisations, especially for an organisation such as Facebook. Such rights are violated daily and increase the need for legislation like the GDPR to be made compulsory. Brands such as Google and Amazon accumulate innumerable private information and manipulate this data for their marketing campaigns.

Advocates concerned with privacy have campaigned against the incorrect use of personal data. The future of the General Data Protection Regulation (GDPR) obligation looks bright for those who seek or defend the right to privacy. Facebook’s decision not to implement the full scope of the General Data Protection Regulation (GDPR) for US users has raised suspicions about its ability and efforts to regain the trust of users especially in light of recent data mining abuses.

The company can do so with its firewalls for false information on the web and established software to enable it to identify content reliably, also has an increasing responsibility of ensuring control over the advertising of political campaigns, even at the cost of losing part of its primary source of revenue. There is no denying that technology companies such as social networking sites have helped to create a free, open and interconnected world. They have become not just the engine but also the DNA of globalization. Leaking private data highlights the fragile and vulnerable nature of our personal information in the hands of these giants.

The US government, British Parliament, and the European Parliament as well as representatives of the 500 million people affected by Facebook’s personal data leak, demand assurances, convincing answers and effective measures from Facebook.

✓ International data transfers

In this current global economy, it is ubiquitous for cross-border transfers of personal data. Sometimes this data is maintained on servers in several different international countries. The General Data Protection Regulation (GDPR) obligations apply to this data regardless of where the data will eventually end up.

Article 49.1 of the General Data Protection Regulation (GDPR)states that data can be transferred only to those countries where there is the same level of protection. Also, when explicit consent has been provided to the transfer, and then only after the individual whose data is being transferred has been made fully made aware of the risks of such a transfer. Such awareness has to be in the form of an explicit statement in writing, and the consent of the individual concerned has to be seen to have been obtained in an indisputable manner, through a written declaration and signed by the individual.

Article 7.1 of the General Data Protection Regulation (GDPR) gives a comprehensive list mentioning the ways in which the appropriate consent can be demonstrated. The recommendations provided under the document “Guidelines on Consent under Regulation 2016/679” of the Article 29 Working Party provide further clarity on this subject. At times, the EC can make a decision, based on the rules of adequacy where it is declared that a non-EU State offers an adequate level of data protection thus allowing data to be transferred to an organisation within that country.

This would provide for less explicit requirements to gain consent and provide guarantees because such transfers are deemed to be within a “suitable” country with processes similar to the ones in the EU covering data transmission and protection. In the absence of a decision of adequacy, the transfer can be made through the establishment of “adequate guarantees” provided the individual whose data is being transferred have enforceable rights and effective legal action.

Such adequate guarantees include:

  • in the case of businesses engaged in joint economic activity, those businesses can transfer personal data by “binding corporate rules”,
  • contractual agreements with the recipients of personal data, for example, standard contractual clauses approved by the European Commission,
  • Adherence to decided codes of conduct, certification mechanisms and binding and enforceable commitments assumed by the recipient about the application of adequate guarantees for the protection of transferred data.

Finally, if a transfer of personal data is planned to a country that is not subject to any of the above adequacy provisions, and in the absence of adequate guarantees, the transfer can be made based on several exceptions in specific situations.

For example, when a person gives consent to the proposed transfer after receiving all the necessary information about the risks related to such a transfer.

For international countries lacking the vital adequacy provisions, you are required under the General Data Protection Regulation (GDPR) to develop a system of certification and adopt a code of conduct for your company to meet its responsibility to offer adequate guarantees to ensure that there is no risk to the privacy of the owner of the personal information whose data is being transferred.

GDPR

Business organisations are propelled to adopt the mechanisms set out under the General Data Protection Regulation (GDPR) to obtain consent to comply with this new vision, to ensure that consent and permission is free, informed, specific, definite and explicit.  Using tools that demonstrate individual consent to make it doubtless entirely, is one of the most critical challenges. Those who are responsible for handling the data will have to assume this in their organisation.

✓ Phishing, ransomware, online fraud and hacking

Cybercrime is growing globally, and a particular dystopia is emerging regarding how personal information is being mistreated, thus creating victims of online fraud, hacking, phishing, ransomware. There has to be a corresponding rise in policing and fighting this abuse and harm against innocent individuals whose information is not adequately protected.  In this way, the GDPR obligation is a welcome unified model for those who process customer data.

Most global organisations should have in place a structured plan and a good knowledge of the  General Data Protection Regulation (GDPR), and the consequences of non-compliance. GDPR obligation fines are high for businesses,

  • Up to 4% of their annual revenue or
  • Up to 20 million euros, or
  • Whichever is higher.

Analysts evaluated that the General Data Protection Regulation (GDPR) obligation fines will continue to rise under these regulations.

Fundamentally, what you need to be thinking about is how you look after the personal data that you use in your business, data that belongs to your customers, to your employees, as well as individuals and third parties.  The three most essential elements to bear in mind are:

  • Legal
  • Transparent
  • Fair

Being compliant, transparent and accountable for what you are doing with personal data and how you are managing the risks are all part and parcel of good business practice and ethics.  Embracing the GDPR obligation ensures a well set up and legally compliant organisation in a modern and thoughtful business environment.

If you are non-compliant with GDPR, now is a good time to revisit your existing practices. Check that are they hitting the right notes and truly delivering the requirements to manage the risks that you are taking with data. Many organisations take the GDPR obligation as a real challenge, and with good reason. As understanding how all the data is being used everywhere in your organisation can be difficult, with many different lines of business and many different conflicting priorities.

Instead of viewing the GDPR obligation as a tedious piece of the legislation, take it as a vast opportunity to invoke trust in an increasingly complex digital world.

Why wouldn’t you want to reinforce and build the confidence of your customers that their data is being safeguarded in your organisation?

The action is compulsory, GDPR compliance is essential, and the correct approach must be taken. If you do not have the expertise in-house, then Seers can provide privacy experts who can help you meet your GDPR obligations. Also, organisations must conduct regular GDPR audits, put in place GDPR compliant policies and procedures, GDPR Training and implement GDPR compliant on their company websites.