The EU has always maintained strong regard in protecting the individual’s privacy about the processing of their data by GDPR. This fundamental right is enshrined in many EU human rights legislation, and now, after great endeavours, this right is enforced throughout Europe and enforced by Europe rather than national legislation. As per Article 99, GDPR is “mandatory in all its elements and directly applicable in each Member State”.
The European Data Privacy Directive of 1995, received overwhelming support in 2014 by the European Parliament. This has been tweaked and fine-tuned to impose and establish a wide range of rights for individuals, including the following:
Improved Data Portability
Allowing individuals to practice the right of accessing “my data,” i.e. personal data held by organisations such as businesses and consumer groups.
In particular, this information can be used to compare the various money-saving websites to provide clear information to assist in decision-making processes about comparing such consumables as:
- Bank accounts
- Credit cards
- Credit reports
- Utility suppliers
- Mobile phones
The regulation establishes that individuals can enjoy the right to receive the requested personal data in a structured format and with the ability to transmit this data to another data controller.
Extra Protection on Profiling and Automated Decision Making
An impartial and independent body known as “Article 29 Working Party” has been working alongside the EU Commission since 1995, providing and publishing opinions and guidance throughout the journey. Their advice and guidelines on automated decision making and profiling of individuals are strict due to the genuine need to safeguard the rights and freedoms of individuals.
What exactly constitutes Profiling and Automated Decision Making, and when would they ever be legitimately utilized?
Organisations will use the data to predict online behavior; generally within the context of marketing purposes, for example, email marketing campaigns use profiling with the view to assist with the targeting of goods and services. The purpose is to predict an individual’s’ online behavior and make “automated decisions” regarding this behavior which leads to the second issue of Automated Decision Making.
The Working Party advice on automated decision making is clear, while it recognizes the benefits of these activities, it also points out that significant risks may arise for the rights and freedoms of individuals. This Law stipulates that individuals “have the right not to be the subject of a decision based solely on profiling or automated methods” when this is based on direct marketing.
It will be an interesting GDPR obligation journey in this respect to witness the reactions of big data-driven organisations and popular social networking organisations when it becomes the norm for individuals objecting at every turn to the processing of their data, including the creation of profiles to the extent that it is related to unwanted marketing.
What is GDPR
Privacy by Design
Rather like new housing development that has to include, in the initial planning stages, essential technological advances must assure protection to the environment and be eco-friendly. The same can be implemented for any new technological construction regarding protecting the individual user.
Also known as “privacy by default”, this law’s new concept provides data security guarantee from the beginning of any new technical construction or design development. For example, an application or program, an app, development of electronic commerce, the internet of things, anything where personal data will be processed. Developers of applications, products or services are required to have specialized knowledge in the privacy and data protection field from the design, development and launch phases.
GDPR Obligation Acts
One positive gain is, this obligation acts as a safeguard from the outset regarding any new development. Privacy in the design is a proactive measure and seeks protection throughout the life cycle of the product or service.
Proactive design and development will eventually lead to improved organisations, that build software with the Data Protection obligation in mind because it is easier to plan and develop from the starting point based on a clear legal framework. This will facilitate peace of mind when engaging in business to business activity, eliminating the worry of not complying with the data protection obligation requirements regarding data protection.
What is Privacy by Default?
The default privacy is to offer the maximum privacy guarantees by default in the design of applications or general products or services that deal with personal data. If there are several privacy settings, they have to be marked accurately by default, because that offers greater guarantees of privacy as required by the individual.
The default privacy also implies:
- The minimizing of data, that is, the minimum possible data to be collected to ensure that the product or service can fulfill its purpose.
- The control of access can be given to only personnel that requires access to the data for the development of their profession, will have access to this data, and that data will not be transferred to third parties, is not mandatory or is not explicitly informed and consented to by the interested party. For this, techniques of pseudonymization can be applied (pseudonymization encrypts the data as a security measure to ensure data can become anonymous).
- The data storage periods must be made fully transparent to users and personnel and be limited to what is strictly necessary with any extension of storage to be minimized to recommended legal storage periods.
- Transparency is integral and requires informing the user about the processing of their data with clear, concise and understandable information.
A practical example is found in many gaming apps where, personal information is requested, like permission to access phone contacts, camera images, SMS and phone calls. Whereas, access to all of these is unnecessary to play the game.
GDPR Social Networking and the Right to be Forgotten
Privacy is a fundamental right and must be preserved with a degree of firmness.
Mark Zuckerberg recently announced that his organisation, Facebook, will not be implementing the same level of GDPR protection in the US, but would tweak GDPR obligation for European users. It will be seen that the US users will lack in protection, but one of the most apparent rights that Facebook might wish to play down is the right to erasure, or the right to be forgotten. The scandal about the unauthorized and unwarranted utilization of the personal data of 50 million Facebook users has put the dominant tech-company in a complicated situation that may actually damage its already in-dangered reputation due to its role in the circulation of fake news.
Ensuring the privacy and protection of user information is an unavoidable GDPR obligation for all organisations, especially that of Facebook. Such rights are daily violated and make the need for legislation like the GDPR compulsory. Brands such as Google and Amazon accumulate innumerable private information and manipulate this data for their marketing campaigns.
Advocates concerned with privacy have campaigned against the incorrect use of data. The future of the GDPR obligation is looking to be a bright one for those who seek or defend the right to privacy. Facebook’s decision not to implement the full scope of the GDPR for US users has raised suspicions about its ability and efforts to regain the trust of users especially in light of recent data mining abuses.
The company can do so with its firewalls for false information on the Web and established software to enable it to identify content reliably, also has an increasing responsibility of ensuring control over the advertising of political campaigns, even at the cost of losing part of its primary source of revenue. There is no denying that technology companies such as social networking sites have helped to create a free, open and interconnected world. They have become not just the engine but also the DNA of globalization. Leaking private data highlights the fragile and vulnerable nature of our personal information in the hands of these giants.
The US Government, British Parliament, and the European Parliament as well as representatives of the 500 million people affected by Facebook’s personal data leak, demand assurances, convincing answers and effective measures from Facebook.
✓ International Data Transfers
In this current global economy, it is ubiquitous for cross-border transfers of personal data. Sometimes this data is maintained on servers in several different international countries. The GDPR protection will go along with this data, which ensures that the GDPR obligation regulations that secure personal data with the EU will keep on applying regardless of where the data will eventually end up.
Article 49.1 states that data can be transferred only to those countries where there is no same level of protection. Also, when there has been an express consent to the transfer, and then only after the individual whose data is being transferred has been made fully aware of the risks of such transfer. Such awareness has to be in the form of an explicit statement in writing, and the consent of the individual concerned has to be seen to have been obtained in an indisputable manner, through a written declaration and signed by the individual.
Article 7.1 of the GDPR obligation gives a comprehensive list mentioning the ways to be able to demonstrate this appropriate consent in an accurate way and the recommendations by Article 29 Working Party – in its document “Guidelines on Consent under Regulation 2016/679”. At times, the EC can make a decision, based on the rules of adequacy where it is declared that a non-EU State offers an adequate level of data protection thus allowing data to be transferred to an organisation within that country.
This would provide for less explicit requirements to gain consent and provide guarantees because such transfers are deemed to be to a “suitable” country with processes assimilated to that of data transmission and protection within the EU. In the absence of a decision of adequacy, the transfer can be made through the establishment of “adequate guarantees” provided the individual whose data is being transferred have enforceable rights and effective legal action.
Such adequate guarantees include, among others:
- in the case of businesses engaged in joint economic activity, those businesses can transfer personal data by “binding corporate rules”,
- contractual agreements with the recipients of personal data, for example, standard contractual clauses approved by the European Commission,
- Adherence to decided codes of conduct, certification mechanisms and binding and enforceable commitments assumed by the recipient about the application of adequate guarantees for the protection of transferred data.
Finally, if a transfer of personal data is planned to a country that is not subject to any of the above adequacy provisions, and in the absence of adequate guarantees, the transfer can be made based on several exceptions in specific situations.
For example, when a person gives consent to the proposed transfer after receiving all the necessary information about the risks related to such transfer.
For international countries lacking the vital adequacy provisions, you are required by the GDPR obligation to develop a system of certification and adopt a code of conduct for your company to pay its responsibility to offer adequate guarantees to ensure no risk to the privacy of the owner of the personal information being transferred.
Business organisations are propelled to adopt the mechanisms set out by the GDPR obligation to obtain consent to comply with this new vision, to ensure that consent and permission is free, informed, specific, definite and explicit. Using tools that demonstrate individual consent to make it doubtless entirely, is one of the most critical challenges. Those who are responsible for handling the data will have to assume this in their organisation.
✓ Phishing, Ransomware, Online Fraud and Hacking
Cybercrime is growing globally, and a particular dystopia is emerging regarding how personal information is being mistreated, thus creating victims of online fraud, hacking, phishing, ransomware. There has to be a corresponding rise in policing and fighting this abuse and harm against innocent individuals whose information is not adequately protected. In this way, the GDPR obligation is a welcome unified model for those who process customer data.
Most global organisations should have in place a structured plan and a good knowledge of the GDPR, and the consequences of non-compliance. GDPR obligation fines are high for businesses,
- Up to 4% of their annual revenue or
- Up to 20 million euros, or
- Whatever is higher.
Analysts evaluated that GDPR obligation fines will continue to rise under the GDPR Regulations.
Fundamentally, what you need to be thinking about is how you look after the personal data that you use in your business, data that belongs to your customers, to your employees, as well as individuals and third parties. The three most essential elements to bear in mind are:
Being compliant, transparent and accountable for what you are doing with personal data and how you are managing the risks are all part and parcel of good business practice and ethics. Embracing the GDPR obligation ensures a well set up and legally compliant organisation in a modern and thoughtful business environment.
If you are non-complier of GDPR, now is a good time to revisit your existing practices. Check that are they hitting the right notes and truly delivering the requirements to manage the risks that you are taking with data. Many organisations take the GDPR obligation as a real challenge, and with good reason. As understanding how all the data is being used everywhere in your organisation can be difficult, with many different lines of business and many different conflicting priorities.
In place of viewing the GDPR obligation as a tedious piece of the legislation take it as a vast opportunity to invoke trust in an increasingly complex digital world.
Why wouldn’t you want to reinforce and build the confidence of your customers that their data is being safeguarded in your organisation?
The action is compulsory, GDPR compliance is essential, and the correct approach must be taken. If you do not have the expertise in-house, GDPR obligation specialists such as Seers will be your ideal partner as they can ensure your business priorities for the GDPR obligation are achieved.