Learn why the EU GDPR may actually be good for business

May 25, 2018 is when the General Data Protection Regulation (GDPR) has come into effect but many businesses still suffer from a lack of understanding and think it would create unnecessary burdens on them with respect to data security and compliance. However, the reality is quite the contrary to this common belief as GDPR may actually be beneficial for businesses. But before we take a deeper look into how it could benefit businesses, let’s see what GDPR is all about.

GDPR – What Is It?

The General Data Protection Regulation is a regulation, whose aim is to protect EU residents’ personal data. What this means is that provisions of GDPR require businesses to protect the privacy and personal data of EU citizens for transactions happening within EU member states. In addition, the GDPR also standardizes personal data’s exportation outside the EU.

GDPR limits the types of information businesses can collect and use, and demands greater openness about how this information is handled, which include making disclosures in case a cyber attack triggers loss of data.

According to the GDPR, personal data refers to any information connected to a ‘data subject’ or natural individual that can be put to use – either directly or indirectly, for identifying the individual.  Personal data that comes under the purview of GDPR includes name, computer IP address, email address, photo, medical information, bank details, or information that has been posted on social networking sites.

The types of privacy data the GDPR protects include:

• Basic identity information like name, address and email id
• Web data like IP address, location, RFID tags and cookie data
• Biometric data
• Genetic and health data
• Ethnic or racial data
• Sexual orientation
• Political opinions

The GDPR will affect all companies that process or store EU citizens’ personal information within EU states, even when they have no business presence within the EU.

Why was GDPR needed?

EU’s Data Protection Directive has been in effect since 1995. But it was long before the World Wide Web evolved into the online business hub we see today. Thus, when the European Union evaluated this directive, they found it outdated, flawed, and unable to address the ways in which data is collected, stored and transferred by businesses today.

Due to a lack of clear guidelines and restrictions, primarily because the existing framework of the earlier era failed to define them well, data collectors almost had a free hand in doing whatever they wanted to, with the personal data they collected, irrespective of who it belonged to, how they stored and handled it, and what the original intention was in terms if using such data. In other words, data collectors were free to interpret what to do with such data and in most cases, their decision served their own business goals rather than safeguarding the privacy and security of personal data they obtained and retained.

Lack of surety about how data security should be implemented was another big disadvantage of the pre-GDPR era. Even when businesses had a genuine intention of protecting their customer’s information, they were uncertain about how exactly they should proceed to ensure this. Due to the nonexistence of national regulations that could have guided them, they depended on internal policies, which were either undefined or under-defined in most cases.

Perhaps the biggest fallout was treating data privacy protection largely as a self-regulated business activity, which triggered a conflict between a company’s security objectives and business objectives. Due to constant focus and emphasis on profitability, business objectives often dictated over security objectives. Though many companies with genuine intentions of maintaining high standards of data protection and security selected to abide by frameworks like ISO 27001, it became more of a choice – and not compulsion, in the absence of a regulatory mandate.

In its evaluation, the EU identified these gross failures and agreed that self-regulation wasn’t the way forward. And thus started the groundwork for GDPR, which replaces EU’s Data Protection Directive, and aims to provide data subjects or individuals with more control over their personal data, while simplifying data protection rules across Europe.

Even though the GDPR came into effect on May 25, 2018, it has been on the horizon for three years and the onboarding period began in May 2016.

Data breach – what’s so frightening about it?

For individuals, data breaches are scary since you never know in whose hands your personal data is or how and for what purposes it’s harvested. For businesses, the repercussions are perhaps even greater since apart from suffering a permanent loss of goodwill, data breaches also make a big dent in their reliability in the eyes of their existing and potential customers.

Here are some examples of major data breaches over the past few years and what kind of impact they have made. The list would clearly prove how costly and devastating data breaches are, no matter how and when they happen.

• Facebook (2014): Cambridge Analytica was responsible for Facebook’s biggest scandal, in which over 100 million people had their data harvested through a quiz app, which was then shared beyond the original researchers who had built the app. Though Facebook found out about this breach in 2015, the full details started coming to light in 2018.
• Carphone Warehouse (2015): Basic security flaws in Carphone Warehouse allowed access to its three million customers’ details, which attracted a £400,000 fine on it by the ICO (Information Commissioner’s Office) – the UK’s data protection regulator.
• Equifax (2017): 145 million US citizens’ data was lost by Equifax in what can be probably called the worst data breaches of all time. Later, another 2.4 million Americans were added to the list of those whose data was lost. According to Equifax, the cost of this data breach for the company was $114m.
• MyFitnessPal (2018): Under Armour – the sports retailer, revealed in March that its fitness app – MyFitnessPal, had lost the usernames, passwords and email addresses of 150 million people, which were stolen from its systems. And this happened despite the passwords being encrypted.
• Aadhaar (2018): The giant national identity database of India, which comprises of private information of over 1 billion people, was compromised when some former UIDAI employees provided access to names, phone numbers and email addresses of those listed in the Aadhaar database.

GDPR and data breaches – what’s the connection?

With the GDPR in place, it would now be difficult for organizations to push incidents of data breaches under the carpet or create unnecessary delay in taking appropriate measures.

The GDPR establishes it to be a duty of all organizations to report particular types of personal data breach to the pertinent supervisory authority. After becoming aware of the breach, this must be done within 72 hours, where feasible.

In case the breach may probably trigger a high risk of affecting individuals’ freedoms and rights negatively, organizations must also inform those individuals without unnecessary delay.

Organizations should make sure to have strong breach detection, inquiry and internal reporting measures in place. This will help in the decision-making process about whether or not the affected individuals and the relevant supervisory authority need to be notified.

The GDPR also makes it mandatory for organizations to keep a record of any personal data breaches, irrespective of whether they are needed to notify about it.

How will GDPR affect your business?

The GDPR contains several basic stipulations of the original Data Protection Directive but includes changes, which will have a significant impact on the way businesses handle personal data.

Under GDPR, data processing needs to abide by six principles and satisfy one processing condition at the least. These conditions, in brief, demand that processing of data must be done in a transparent fashion (for which consent needs to be given mandatorily), and that data must be collected and put to use for a particular purpose and only that purpose, while data is maintained in a safe, accurate way until such time its particular purpose of use has expired. The data must then be deleted.

GDPR – what’s its global relevance?

From evaluating the changing requirements of data privacy and security, to creating a strong regulatory framework, the EU has invested significant time and effort to safeguard the personal data of individuals while giving businesses a clear regulation to adhere to. Taking inspiration from EU’s GDPR, governments in different countries are now bringing changes to their own data privacy and security regulations to reflect GDPR’s key elements. Thus, in essence, GDPR no longer remains an EU-specific regulation. Rather, it has become an international one, even though various governments will be implementing and enforcing their own laws based on it.

It’s widely believed globally that adhering to GDPR would make an organization fit to automatically comply with a majority of global standards and regulations.

What GDPR means for consumers?

In today’s consumer-driven market, personal information of individuals are collected, used and retained by various businesses and entities. Most people today have all or some of these:

• Own smart devices, or a smartphone
• Have social media accounts
• Have a bank account
• Have accounts with e-commerce or commercial service providers
• Have insurance – house, car, health etc.
• File income tax
• Are registered with cab service providers, online food delivery apps, airlines, travel companies, hotel providers etc.

What all these mean is that the personal information of consumers gets exposed to several organizations – both in the public and private domain. Earlier, there were rampant instances of using such personal information to violate the rights and freedom of individuals. But the GDPR has now brought certain aspects that set to tighten the laws about how consumers’ personal data is processed, stored, retained and deleted.

To begin with, the GDPR needs consent to be given freely and in an informed, specific, and unambiguous manner. So, consumers are now free to either provide or withdraw their consent for particular services.

Right to access under the GDPR is another benefit for consumers, which basically means that consumers have the right to know what type of personal data their service providers have collected and how they are processing such data.

GDPR’s data portability also strengthens the consumers’ hands since it gives them (data subjects) the right to obtain personal data relating to them from companies in a format that’s commonly used and machine readable, and the right to pass on that data to another controller.

Yet another clause is the right to be forgotten, which gives the data subjects the right to get their data controller erase their personal data, and stop further disclosure in addition to getting the controller’s third parties to abide by such requests. Thus, consumers who cease to be a subscriber or member of a service can request all their personal data to be deleted permanently. Earlier, even after such subscription or membership came to an end due to the consumers’ choice, their personal data continued to be retained by companies.

So, what makes GDPR good for business?

Any business is driven by consumers and when they start believing that businesses are using their data transparently and responsibly, they will naturally trust and support them and may even act as word-of-the-mouth publicists, which is surely a win-win situation for businesses. They will not only streamline their data collection, processing, retention, security and deletion systems to comply with GDPR but will also win their consumers’ trust and praise in the process.

GDPR can even help businesses trim the fat in terms of data they retain and store. In an effort to comply with GDPR, businesses will need to review their data handling and processing procedures. This would give them an opportunity to evaluate and map their data flows, or even get rid of the excess baggage of massive amounts of obsolete, redundant and/or trivial data by restructuring their system not merely for compliance, but also for cost-effectiveness and business efficiency.

GDPR promotes better, updated and clean data in the hands of businesses, which can help them get better leads and eventually, higher conversions. Though some are skeptical about GDPR marking the end of email marketing, it isn’t so. Rather, GDPR can give the right impetus to push businesses for crafting a valuable, responsive email marketing strategy, which will encourage and engage leads and wow customers.

GDPR’s new data protection concept – pseudonymization, may considerably reduce the risks related to data processing, while also helping in maintenance of data’s utility while creating motivation for controllers to pseudonymize the data collected by them. If you are wondering what pseudonymization is, it’s about separating the data from direct identifiers, which would make association with an identity not possible without supplementary information that’s separately held.

GDPR makes businesses take control of their own compliance by actively understanding, organizing, and monitoring all the data they store, while making sure it’s compliant with GDPR regulations.

Final words

For some, GDPR compliance may seem like a big burden involving a lot of additional work, but if you plan it right, your organization will not only become GDPR compliant, but can even boost its business in the process.

For businesses, GDPR acts as a great reminder that personal information they collect isn’t something they own. Rather, it’s simply on loan to them, and they are responsible to look after and safeguard it.

GDPR isn’t merely about confidentiality; it’s about precision, integrity, and availability – and above all, it’s simply what basic good business practice should be.