Personal Data is a Fundamental Right: the Human Side of GDPR

By Jan Kruger, Executive Vice President, Risk Portfolio, February 7, 2018

If personal data is likely to become the capital that shapes and powers a new digital single market, is its protection then a fundamental human right?

The European Union would argue yes, as it believes the protection of personal information is the same as other fundamental rights, including the right to freedom of expression. The processing of such information should be designed to serve mankind, the EU says in its General Data Protection Regulation (GDPR). GDPR, which is scheduled to take effect May 25, ushers in the biggest shakeup of privacy rules in decades.

There's truth to the EU's argument and one that companies must consider as they prepare for the deadline. There's a human element here, and the companies that are quick to grasp the magnitude of technology's impact on fundamental rights will be best prepared to capitalize on the growing need for robust safeguards.

Consider that globally about 2.5 quintillion bytes of data are created every day, including roughly 269 billion daily emails and 15 million texts every minute. Americans alone use about 2.6 million gigabytes of internet data per minute. The digital universe is huge, according to market intelligence provider IDC which estimates that the amount of data created and copied annually will explode to 163 zettabytes by 2025 from just 16 zettabytes in 2016. That's the equivalent of watching the entire Netflix catalog 489 million times.

Also, consider that the digital technology explosion over the last 20 years has turned everyone into walking data points, and made data personalization crucial to business product development and the consumer experience. By 2025, according to IDC, people will interact with connected devices almost 4,800 times per day, up from just 218 in 2015. Therefore, our personal data has become that much more valuable, and more vulnerable.

And while we live and breathe data, most people are only vaguely aware that companies are gathering information and even less informed on what's being captured. Still, we share everything from ultrasound photos to our daily diets on Instagram.

Take the case of popular fitness app, Strava, which was recently caught in a firestorm of negative publicity when it was reported the company inadvertently revealed sensitive information about military personnel on active service. The app's data visualization map allows people to record their exercises and share with others and showed more than 3 trillion GPS data points, including the location and staffing of U.S. military bases worldwide.

Personal data gets personal. Canadian sex-toy maker, We-Vibe last year agreed to pay $3.7 million to resolve privacy claims regarding its “smart” vibrator that harvested data on how customers used the devices. Information was captured through smartphone apps that collected data such as temperature, intensity settings and frequency of use.

The first step for companies is to understand what's considered personal data and where it's stored. Article 4 of GDPR defines personal data as any information that can directly or indirectly identify a natural person. The deceased doesn't count and neither do companies, which under GDPR aren't recognized as people.

General personal data includes information we typically think about that's specific to the physical, mental, economic, cultural or social identity of a person and less obvious identifiers such as web cookies and IP addresses. GDPR also carves out for special treatment another level of personal information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and health or sex life.

The regulation lays out strict requirements on data management, handling, storage and security. Companies must inform people on how their data will be processed and give them the opportunity to grant or withdraw consent. Companies must also limit the use of the information collected to specific purposes, ensure its accuracy and develop a plan to secure and protect personal data going forward.

While GDPR governs the processing of personal information belonging to EU citizens, companies could use the law to adopt responsible data practices regardless of their customers' nationality or location. It also presents an opportunity for companies to take stock of data assets and identify what's important.

With less than four months to the start of GDPR, the debate about personal information is at an all-time high. However, if we agree that data protection is a fundamental human right, rather than be fearful of GDPR, companies should view the regulation as a call to action. It's a reminder that businesses have a responsibility to secure their customers' privacy not only because failing to do so would subject them to hefty fines, but also because a responsible company is a trustworthy one. And, trust is fast becoming a new competitive advantage.

 

What are the GDPR implications to my business?

 

There are several - but to name a few:  

  • The EU GDPR has sharp teeth: Under the GDPR, the fines imposed can be 20 million Euro, or up to four percent of a company's global annual turnover, whichever is greater.

  • It affects companies worldwide: As mentioned above, it's not simply where the customer or prospect lives. Companies affected include controllers and processors established in the EU/EEA and companies not established in the EU/EEA, if they offer goods or services within the EU/EEA, irrespective of whether a payment by the data subject is required. The regulation has very broad reach, applying to virtually any company doing business in the EU.

  • A data protection officer is required in some cases: Companies with over 250 staff must employ a data protection officer. The European community wants to ensure that large organizations processing a lot of data have someone who takes responsibility for that information, and having a data protection officer role is part of the new law.

  • Organizations must report on breaches: The GDPR will require companies to notify data protection authorities, such as the UK's Information Commissioner's Office (ICO), of any data loss incidents as soon as possible, which the EC suggests should be within 24 hours “when feasible”.  

Data protection is no longer just the responsibility of IT. It's time to start getting answers about your own data and existing security measures.  To get fully up to speed with GDPR and how it may impact your business, download our free eBook.

 

Topics include locating and classifying your data, running a gap analysis, allocating resources and setting timelines, positioning the right people into place, developing and implementing processes, policies and technology, and testing the health of your processes and incident response plans. Download your free copy of our eBook now.