The evolution of the Internet not only improved overall life quality but also offered new services that connected billions of people.
Users trust their personal data to companies like Google, Facebook, and Amazon to feel unique digital experiences like online shopping, accurate and fast data lookups, and networking. Digital corporations process petabytes of personal information per day.
The business model of such companies is focused on the collection, storage, analysis, and other operations with user-generated content and personal information.
But is this data secured properly? Let’s have a closer look.
Why is data protection an important issue?
Hackers and criminals realized the high importance of personal data as it can be easily used for cyber theft, financial fraud, and blackmail. However, the increasing amount of data and the neglect of data security measures in companies’ infrastructure created ideal conditions for data leaks.
Even though serious data breaches entail significant losses – the affected organizations in most cases survived the “disaster” and continued their activities as usual. Briefly, even the high losses associated with data leaks could not play the role of the driving force to make the situation change. Damages caused by personal data leak were perceived as a predictable and manageable business risk.
If private companies do not pay attention to the protection of personal data, it is time for governmental institutions to become a game-changer. That is why the General Data Protection Regulation was created. The main idea of this document is to regulate all issues concerned with personal data protection. The essence of the GDPR is to make personal data processing more secure and transparent for users.
What is GDPR in simple words?
In May 2018, EU law 2016/679, better known under the acronym GDPR (General Data Protection Regulation), which regulates personal data (PD) protection of all individuals located in the European Union, came into force.
The main idea of the GDPR is the opportunity to learn about the way personal data is processed. It mainly concerns the residents of the European Union, however all countries all around the globe are affected.
According to this regulation, every EU citizen can request personal information about himself from any companies in the EU and those based outside the EU, but offer goods or services in the European Union.
For example, during the sign-up process on any site, the majority of users automatically ticks the box about personal data processing, and almost no one reads what will happen with their data.
Now, owners of the websites and digital services should receive user consent each time they need personal data of the users. The user can change the choice made before and revoke his permission. In this case, the owner must completely delete the information.
What are the consequences of non-compliance with GDPR?
The first year of the GDPR clearly showed that compliance with the requirements is actively monitored, and the implementation of new rules is mandatory for everyone. We can divide the consequences into three main types: financial fines, reputational, and commercial risks.
Probably, financial consequences are the most discussed one since the fine can be up to 20 million euros or 4% of the company’s annual turnover, whichever is more expensive.
The most serious fines will be imposed on companies that do not comply with the basic principles of personal data processing and violate user’s rights.
For example, British Airways received a fine of 204.600.000 (!) euros for insufficient technical and organizational measures to ensure information security, which led to the personal data leak of hundreds of thousands of airline customers.
These consequences can be even more damaging than financial fines.
GDPR fine is a blow to the company’s reputation, which shows insincerity as well as an incompetent attitude to personal data. Lack of trust and negative public opinion can seriously affect the future success of a company.
Impossibility to show that your company is GDPR-compliant can lead to the customers loss.
Customers do not want to endanger their personal data. GDPR can also affect business activities: many companies may not want to become a partner and share information about their customers with non-compliant companies.
Although regulatory authorities require GDPR compliance today, companies still have time and opportunity to improve personal data processing algorithms.
Who should ensure GDPR compliance?
Perhaps the most controversial, but also the most interesting aspect of the GDPR, is the requirements for companies outside of the European Union. It is important to remember that the goal of the GDPR is to increase transparency and company responsibility but not to punish someone.
According to the GDPR, any person residing in any of the EU countries should be protected. The actual location of the organization does not matter. As for the large multinational firms conducting operations in the EU, the scenario for the improvements is quite straightforward.
A much more interesting is the regulation of companies that offer goods and services to EU residents, but are not directly present in the European Union.
Whether you are located in the EU, USA, Middle East, CIS, or wherever, the regulation should be applied to each company processing personal data of all persons located in the EU. It means that Azati, as a trusted vendor for various European partners, should comply with the GDPR too.
How does GDPR affect development?
The authors of the GDPR state that rapid technological development has led to an unprecedented collection of personal information around the globe. Almost every product or service anywhere in the world can freely collect and use personal data from users. The GDPR reflects the need to put into practice the already known concepts of “privacy by design” and “privacy by default”.
“Privacy by design” calls to minimize the collection of personal information necessary for the product, service, or project. Before starting any process, the GDPR recommends assessing risks to which a user (personal data subject) will be exposed as a result of the processing of his personal information by your resource (department, employees).
“Privacy by default”, in turn, calls the owners of products and services to process only the information necessary for the service or application. And store it until the moment the user continues to use this product or service.
In this case, the GDPR pushes us to “consciously strive” to follow these principles in practice, which, in the future, will lead to a complete transition and 100% compliance with the requirements of the regulation.
What should the company do to become GDPR compliant?
- Inform all employees about GDPR.
- Review the data flows. There is no need to collect unnecessary data, but it is better to delete outdated information.
- Make sure that you provide the ability to view, change, and delete personal data. When users delete their data, it should also be deleted from everyone to whom you transferred it or who had access to it.
- Create a procedure according to which the company will respond to user requests for personal data.
- You must receive explicit agreement from users to collect personal information. Record when and under what conditions this agreement was obtained.
- Define the procedure by which information about the violation will be transmitted to users and relevant EU agencies.
- Designate a data protection officer (DPO specialist) to prevent conflicts of interest.
What about Azati?
As soon as the first version of GDPR was published, our team has learned the main points and consulted with various experts in order to avoid additional difficulties for our partners and clients from the European Union.
We are pleased to announce that Azati now has certified DPO specialists (Data Protection Officer) in our team, who can monitor the compliance of our products with requirements prescribed in the GDPR!
We sent the first group to take a course about GDPR-compliance from a certified professional and manager in information privacy of CIPP / E, CIPM – Sergey Voronkevich.
Our specialists graduated with honors from a course lasting four full days of 8 academic hours, examined more than 30 examples from real case studies, solved more than 80 test questions on all topics of the course and finally, they received Data Protection under GDPR – Data Privacy Professional (GDPR-DPP) certificates.
At the moment, our company has gained several advantages:
The trust of customers from EU countries (and other countries)
Our team can quickly guide among the GDPR requirements, and today Azati can fearlessly work with partners from EU countries.
Personal data processing quality
The personal data processing in our solutions complies with GDPR. And our company respects the privacy and confidentiality of the data of the European Union citizens and persons currently located in the EU.
The probability of fines is reduced
Complying with all the requirements of the GDPR, we reduce the possibility of receiving a significant fine.
Simplified and accelerated product development
As it was figured out, the GDPR quite accurately described the requirements for software that processes personal data. We derive the best practices that we are already implementing in all our products.
But we are not going to stop and continue to improve our knowledge by participating in forums and events on Data Privacy.
By the way, one of the recent master classes was held in Minsk from November 18 to 19, 2019 – the only master class in the CIS that was taught by Jason Cronk – CIPT, CIPM, CIPP / US, FIP by the IAPP, PhD Ambassador, author of Strategic Privacy by Design.
The GDPR is a significant step forward to protect personal data, which entails new security standards not only in Europe but also around the world. Users will trust more those companies that declare full compliance with GDPR.
Companies have around one-two years to make their personal data processing GDPR-compliant. That is why it is worthwhile to spend some time to enrich the existing personal data processing approaches, as well as create new rules for processing and monitoring data to avoid significant fines and serious leaks in the future.