With great data comes great responsibility. To help you stay ahead of the shifting GDPR guidelines, we put together a guide to staying compliant in 2020.
January 7th, 2020
In today's digital society, the way companies handle data is under scrutiny. Privacy feels more like a luxury rather than a right, where data breaches frequently expose the personal data of millions of people, and companies sell it to the highest bidder.
At best such breaches result in unwanted advertising. At worst, people's private information is sold on the dark web. Either way, it is an unsettling thought, and to address the growing concerns over its citizens' data, the European Union introduced the General Data Protection Regulation (GDPR).
This regulation address how companies should handle their customers' data, as well as the rights consumers have over the way it is used. The consequences for not complying with the new regulation are, understandably, quite strict. To help you navigate through GDPR and to avoid millions in fines, the following guide will cover the following chapters:
The European Commission sought to define new and more effective objectives for data protection in Europe, and GDPR was a way to adapt and transform existing laws to address emerging issues in an increasingly digital world.
The laws are designed to give EU citizens control over their personal information and create a regulatory environment for businesses and citizens in which there is a clear framework of rules regarding the handling of private data.
By setting a new standard for consumer data handling, the companies that handle the data were faced with the challenge of aligning their systems and processes with the new laws.
Personal data is the core subject the GDPR laws revolve around. While there is no definitive list of what is or what is not considered personal information, Article 4(1) of the GDPR defines it as “any information relating to an identified or identifiable natural person (data subject).”
The GDPR laws also specify that:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
What the GDPR addresses, in this case, is any information that makes it possible to identify an individual. There are, however, disputes over what information can be used to identify a person.
For example, political opinions or an IP address could be considered as personal information, but this is also a matter of perspective. Defining what information can be classified as personal data is essential to staying compliant.
When it comes to the protection of consumers' data, the GDPR sees companies and organizations as responsible.
The GDPR laws apply to all businesses and organizations established in the European Union. They also apply regardless of whether personal data is processed in the European Union or not. The essence of the regulation is that if a business or organization is processing information from the citizens of the European Union, it must be GDPR compliant.
One of the many requirements for GDPR compliance is that all companies and businesses must designate a Data Protection Officer.
The idea behind complying with the standards that GDPR imposes is that companies and organizations when they are carrying out their security strategy for their products is to take user privacy as essential.
Despite being around for many years, GDPR still demands changes in company paradigms and continues to urge companies to prioritize the protection of personal data. Below are the first steps to doing so:
The first step to fully comply with the GDPR legislation is to understand the legal system that the GDPR imposes on us. It is recommended that a compliance audit be done to test whether a business is fully compliant with GDPR.
The main thing is to hire a Data Protection Officer to explain this regulation and apply them to the business.
All countries have a Data Protection Authority. This is the body responsible for enforcing the GDPR regulations. Each company or organization needs to create a Data Processing Register to keep a record of all processing activities concerning personal data.
The classification and evaluation of customer data are of vital importance. This means knowing who processes and controls information, as well as assessing how this information is protected.
Applying security policies and evaluating data life cycles, from when it is collected until its destruction, is just a part of this critical step. It is also necessary to complete a Data Protection Impact Assessment, Legitimate Interest Assessments if needed, etc.
Understanding how to stay compliant as a business will be essential in 2020, and failure to do so comes with substantial consequences. Non-compliance can result in penalties up to €20 million or up to 4% of a company's annual turnover, often causing irreparable damage to a company.
Fines are calculated based on the severity of the breach. The most extreme cases involve infringement of consumer data rights, where there has been an exchange of personal information without the authorization of the affected subject, or when the companies and organizations have not put the appropriate procedures to ensure the security of that personal information.
Below are a few landmark examples of GDPR non-compliance fines in recent years.
British Airways paid one of the highest GDPR fines in 2018. The company faced a fine of £183 million for a data breach, during which British Airways web users were redirected from the official website to a phishing site.
As a result, personal data from over 500,000 people was compromised. The Information Commissioner's Office (ICO), the data protection authority of the UK, imposed a fine equivalent to 1.5% of the worldwide earnings of the company.
Like British Airways, the Mariott hotel chain suffered a data breach that landed them a steep GDPR fine of €110m. Their security breach resulted in over 380 million customers' data being leaked, including names, emails, phone numbers, passport details, and bank account information.
The French Data Protection Authority (CNIL) found Google guilty of breaching GDPR guidelines, resulting in a fine of €50m. The CNIL reported Google's "lack of transparency, inadequate information, and lack of valid consent regarding ads personalisation" as the reason for the charges.
Naturally, no company wants to pay mild, let alone severe, non-compliance fines. And while all GDPR guidelines are available online, navigating through and correctly implementing these laws can be tricky.
To help you align your activities with the primary objective of the General Data Protection Regulation, which is to give the public more control over the information that companies have about them, here are some ways to ensure that their rights are considered.
Companies must obtain permission from their customers to handle any type of personal data. It's best to make this consent as explicit as possible and to communicate how this information will be used when obtaining consent.
The right to access data means that your customers have the right to know how much data you have about them as well as how you are using it. This includes records of how and when they have given consent for personal data use, so it's best to keep this information handy.
In addition to having the right to access data, individuals also have the right to modify it if they see discrepancies. If, after obtaining, any information you hold is wrong, individuals have the right to rectify it. Again, it is crucial to keep your customer data organized and stored in one place to be able to comply effectively.
According to GDPR guidelines, individuals can also exercise their right to restrict the use of their information. This is particularly relevant to customers who are no longer actively involved with a company, and their data being stored by the company, whether in use or not, is no longer necessary.
Whether it's mailing lists or inactive account details, it's always best to proactively eliminate data from inactive consumers.
Individuals have the right to request the restriction or suppression of their data. This right is closely related to the right of rectification and the right to object, and it is vital to have systems in place to comply if such a request comes in.
Companies must obtain the customer’s consent to pass the information to another company. It is always best to get permission to do so while obtaining consent.
This regulation allows individuals to object to the processing of their data in certain circumstances. For example, your customers have the right to stop their data being used for direct marketing.
One of the challenges that GDPR presents is that the use of customers' personal information for companies to make decisions or create profiles about them.
While GDPR grants individuals the right to object to a decision based on a profile created or through the information collected, it does explain how it should be done or if companies have any way of circumventing this.
These are some of the measures that companies and organizations can take to comply with the rules imposed by GDPR. For more information about the specific guidelines for your country, get in touch with your Data Protection Authority.
With great data comes great responsibility.
In addition to accommodating the rights of consumers when it comes to how their data is used, companies are also responsible for protecting this data against security breaches and fraud. One way to do this is by working with digital security and fraud prevention experts like Veriff.
Veriff Station is a flexible identity verification and fraud prevention tool that verifies customer data and safeguards your company against online fraud. Learn more about Veriff Station and sign up for a free 30-day trial, including 100 verifications.