GDPR: Are You Getting the Fundamentals Right?
Overview
It is nearly three years since GDPR came into effect in the European Union. While the legislation has provided enhanced rights for data subjects, the experience for many people is that organisations still are not getting it right.
The aim of this paper is to:
- Explain the underlying privacy concepts
- Clarify the lawful bases so organisations can process personal data legally
- Highlight common errors and provide some steps that can be taken to correct these
Why is Privacy and Data Protection Important?
Privacy and data protection should be a core value of any organisation, not just to avoid legal ramifications of non-compliance but also to realise the benefits that a good privacy and security culture brings to both businesses and data subjects.
How an organisation uses and shares an individual’s personal data is becoming increasingly important to people and impacting on their decisions to stay a customer or move to a competitor.
For example, in a survey of data subjects conducted by Cisco in 2019 shows:
- 48% have changed organisation due to privacy policies or data sharing practices
- 47% have greater trust in organisations that must comply with GDPR
Trust is also a critical part of people’s decision making. Sites like TrustPilot, Yelp and TripAdvisor are increasingly influencing which organisation a data subject will do business with. A survey in 2019 by Salesforce showed that:
- 89% of data subjects are more loyal to organisations they trust
If an organisation wants to build trust, it must be open, fair, and transparent with what they do with personal data. In the Salesforce survey:
- 70% of respondents associated transparency with trust.
However, if an organisation is seen as untrustworthy or breaks the trust with data subject it will lose customers and put off potential new customers. The Salesforce survey showed that:
- 65% of data subjects will stop buying from these organisations and move to a more trusted (or less distrusted) competitor
- 54% of data subjects surveyed stated they would walk away if they felt personal data collection was excessive or unjustifiable.
This last statistic shows why organisations need to make privacy and data protection part of their brand. Organisations should no longer be focused on the “Can we do this?” question but the “Should we do this?” question.
Privacy and data protection should be considered an investment by the business. The CISCO survey reported the following results from privacy investment:
- 97% of organisations realised benefits such as competitor advantage or investor appeal
- Losses exceeded $500,000 in 37% of GDPR-ready companies but exceeded that value in 64% of the least GDPR-ready organisations
What is Privacy?
Privacy clearly matters, and if an organisation cannot get the privacy right, they will not get the data protection and GDPR compliance right either. But what exactly is privacy?
Privacy can be tricky to define because it can depend on:
- Where you live & the culture you live in
- Your age
- Your own experiences of breaches, surveillance, identity theft etc.
For example, the Nordic countries have open information societies where information about individuals can be easily found on websites like hitta.se, and tax records can be purchased from the tax department. Conversely, Germany has some of the most stringent privacy and data protection rules after its experience in the East of Stasi surveillance until its unification.
A useful definition for privacy is found on the International Association of Privacy Professionals (IAPP) site. They define privacy as:
Broadly speaking, privacy is the right to be let alone, or freedom from interference or intrusion. Information privacy is the right to have some control over how your personal information is collected and used.
Privacy conscious organisations consider the privacy intrusion, risks and impacts to data subjects before collecting, processing, and sharing personal data. They inform the data subject in a clear and informative way, and they balance their legitimate interests against the rights of the data subject.
What is Data Protection?
Data protection is often used interchangeably with privacy, but they are different concepts. Privacy is about what personal data an organisation collects, what they do with it, compliance with GDPR and other legislation, and what control the data subject has. Whereas data protection is the measures taken to protect the personal data from unauthorised access, processing and sharing.
Getting Privacy Right
There are seven principles stipulated in GDPR that will help organisations get their privacy approach right. These principles are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
Lawful, Fair, and Transparent
Personal data should be processed legally based on one of the lawful bases stipulated in GDPR. It should also be fair and transparent to the data subject through an easily readable and comprehensible privacy policy.
Purpose Limitation
Personal data should be collected for a specific, explicit, and legitimate purpose and not further processed in a manner incompatible with this purpose.
Data Minimisation
An organisation may only collect the minimum amount of personal data that is necessary to carry out the processing.
Accuracy
GDPR also requires organisations to take reasonable steps to ensure that the personal data collected is, and remains, accurate.
Storage Limitation
Organisations are obligated to set out specific data retention periods for the personal data they keep. The basis of this is that personal data must not be kept longer than is necessary for the purposes for which it is processed.
Integrity & Confidentiality
Personal data must be adequately protected against unlawful or unauthorised processing and from loss, destruction or damage using appropriate technical and organisational measures.
Accountability
Organisations should be able to demonstrate compliance with these principles.