"Information into insight"
Every time you use a device to search the web or purchase something online, your data is being stored on a server somewhere in the world. Companies use this data in varying degree to figure out your likes and dislikes. Their goal is to create new products or services for greater benefit; meaning you’ll be more likely to spend hard earned cash for their offerings. But, you don’t have control as to how the recipient protects and uses your data. The hope is that all of your information is tightly locked away and well encrypted on their servers.
With the increase in businesses using cloud-based platforms, who controls and safeguards your data enters a gray area. Add to this that data breaches are escalating in size and scope, and the issue of privacy becomes all the more threatened.
On the other hand, if you’re a business owner, data collection is the primary way you analyze what you’re doing wrong versus what you’re doing right in terms of your consumers. It’s important for you to know and understand which product or service is in demand. In a global marketplace, competition is fierce. For this reason, gathering and analyzing consumer data is crucial for you to remain a dominant force in your market share.
Is there a solution that protects the consumer while still benefitting the world of business?
In 2016, the European Parliament launched the General Data Protection Regulation (GDPR). This regulation is set to take full effect on May 25, 2018. The two-year delay was enacted to allow time for businesses to make adjustments in several key aspects of their data gathering and storage process
GDPR defines the responsibilities of both a controller and processor of data. A controller can be an enterprise or other organization who is initially gathering the data. So, if you own a bike shop and a consumer orders a product from your e-commerce site, you would be the controller of the data. While it’s true that you can also be the data processor, should you use a third party for data warehousing, such as Amazon Web Services (AWS), it is AWS who will likely fall under the “processor” classification. There are, however, legal ramifications if the processor doesn’t follow the GDPR requirements.
The GDPR document is a massive 88 pages long and describes, in great detail, the roles and responsibilities of data collectors and processors. There are several key points to keep in mind if you’re within EU jurisdiction or you’re collecting data from EU citizens:
- Ownership of the data is placed back into the hands of the consumer or “data subjects”;
- Data subjects must give consent to have their data collected, and this is separate from other terms of service and conditions;
- The data subjects have a right to access and transfer their personal data or notify the data controller that their data is to be erased -- this is known as the “right to erasure”;
- For certain organizations, a Data Protection Officer must be assigned to ensure the security of the data collected;
- There are substantial penalties for non-compliance that can include up to 2% of total global annual turnover or 10 million euro (whichever is greater)
Individual Member States in the EU still maintain discretion as to how they will handle their sanctions for non-compliance. Given the extensive language in the GDPR, it’s difficult to state with certainty how it will affect small to medium size businesses. If feasible, the best course of action is to inquire with legal counsel within your country. Several actions you can take now include:
- Establishing a plan for both increasing cyber security and how to manage data breaches.
- Creating a detailed policy for how data is handled within your business including international data transfers.
- Reviewing how you will provide a consent framework for your data subjects.
- Crafting a clear and easily readable privacy consent policy; this must also be easily accessible to the data subjects.
Keep in mind that It will be up to you to defend storage of personal data so conferencing with legal counsel is, again, essential. The nuances of the regulation will unfold after it takes full effect in 2018. Only time will tell if certain restrictions are workable for the variety of data gathering that occurs internationally and within the boundaries of the EU. Returning to you as an individual from whom data is collected, the GDPR definitely places you in the driver’s seat regarding the who, what, where, when, and how of your personal information.
To get all the benefits of Array, sign up here for free.