The ins and outs of GDPR

Your inbox has most likely been inundated lately with notifications of companies updating their privacy policies. Everyone wants you to know they have taken the time to get their policy up to date and this, of course, is a good thing. But why now? Well, it probably has something to do with the General Data Protection Regulation (GDPR) deadline that just passed on May 25, 2018. In an effort to be GDPR compliant, companies have been paying closer attention to the way they access, store and dispose of personal data. They want customers to know they care, and they want GDPR to see they are following the rules.

What is GDPR? The General Data Protection Regulation (GDPR) is a regulation that outlines the way companies and organizations need to handle personal information of customers within Europe. The regulation replaces an older policy that dates back to 1995. Because the way we do business, and share information, online has changed drastically in the last 20+ years, the European Parliament ruled that an updated regulation for data management was required. Customers have become increasingly concerned about data breaches, the re-selling of personal data and other violations. Any company doing business in Europe must be GDPR compliant in order to avoid hefty fines that will be imposed for mismanagement of personal data.

What constitutes “private data”? Under GDPR, companies need to broaden their understanding of what actually constitutes private customer information. The following information is considered private data, and therefore needs to be accessed, handled and disposed of carefully[1]:

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Companies need to access and manage customers’ personal information for a variety of reasons, but there is an increasing awareness of the responsibility they have to handle this information carefully and to dispose of it as soon as possible. Some organizations even turn to third party firms to assist with data protection strategies. Darren Gallop, Co-founder and CEO of Securicy says the way we collect data has changed over the years and the new European regulation makes it difficult to gather data gratuitously, “Under the GDPR, you need to have a reason – a real reason – to capture data, or you need to have consent. (…) There also needs to be some consideration around how long you actually need that data and when you are getting rid of it.”

Gallop says his company offers customized data protection services so that clients can focus on their business, knowing their data protection is being professionally managed. “We have analysts on our team that are constantly monitoring the current landscape, constantly assessing what new cyber security tools are coming out in the market and watching the trends. (…) So you really have this sort of watchdog thing happening in the background.”

Connect&GO’s commitment to data security At Connect&GO, data is captured in order to offer customized RFID solutions for clients. Guests create personalized profiles and the more information they include in the profile, the more tailored their experience can become. CEO, Anthony Palermo, says the entire Connect&GO team understands the responsibility associated with handling customers’ personal data, “We are very aware of the sensitive nature of this data and we make it a priority to dispose of all personalized data immediately after the guest has finished participating at the event or attraction.” Connect&GO offers guests the ability to opt in or to exclude certain personal details when registering their profile. Guests may also request information regarding Connect&GO’s management of data, and/or to request that the company destroy any trace of their personal information from the system. This last request is known as the “right to be forgotten” and it is an essential part of the service offered by Connect&GO. Palermo says, “We want our clients, and their guests, to feel confident knowing we will not share their personal data with external parties, and that we will do everything we can to protect it from violation.”

Education is essential According to Darren Gallop, a big part of any company’s data protection strategy should be education for their own employees. He says Securicy solutions are “customized around your business, your data and your workflows (to) engage your staff and educate your staff so that they become aware and broaden this whole mentality of being secure, which essentially creates a human firewall.”

Who actually handles data? There are three key players when it comes to data management: the controller, the processor and the data protection officer. While companies may act as the controller and outsource data processing to an external firm, under GDPR both parties will be held liable in the event of a breach.

A company’s Data Protection Officer (DPO) is responsible for overseeing the processes by which the company accesses, handles, stores and disposes of customers’ personal data. The DPO needs to understand shifts in the data protection landscape and needs to be aware of new security protection tools and trends. While larger companies may assign this role to a full-time employee within the company, smaller organizations may find it useful to outsource data protection officer duties.

As Gallop explains, there can be a conflict of interest if data protection officer responsibilities are simply added to an employee’s existing tasks in another role. “If you have somebody who is head of product who’s also the DPO, and they’re the person responsible to deliver on a product goal, it sets them already in a state of conflict because it will slow the delivery down to do tests and review all the vulnerabilities and then implement security strategies before launching the product.” Having a remote DPO may offer certain advantages because that person will have the necessary security certifications and will be able to devote their attention to data management news and developments.

Steps towards tighter security While some companies have been GDPR compliant for years, others are scrambling to get a coherent data flow map and data breach strategy in place. It is important to draft detailed contracts and Privacy Policy contracts, and to be transparent when it comes to sharing this information with stakeholders, employees and customers. Companies need to demonstrate a willingness to comply with GDPR and an ability to properly manage circumstances in the case of a breach. GDPR may be a European legislation, but there are similar rulings in North America, and tighter security laws make sense for the entire global business community.

Related Blog