What is the GDPR? How do I Comply?
As online data has grown in scale and size over the past 20 years, new legislation must be passed by countries around the world in an attempt to regulate a new digital landscape. The General Data Protection Regulation or GDPR for short is a European Union personal data and privacy regulation that oversees online interactions and transactions that occur within and between EU member states. The types of privacy the GDPR protects include:
- Basic identity information such as name, ID numbers, and personal addresses
- Biometric data
- Racial or ethnic data
- Health and genetic data
- Political Opinions
- Sexual Orientation
Companies that collect data on EU citizens must comply with the strict rules set out in GDPR or risk significant monetary fines or penalties. These fines can be quite steep and run into hundreds of millions of dollars depending on the severity of the violation at hand. For example, multinational tech company Google was fined 56.6 million USD under the GDPR in 2019. These fines were levied under the premise that Google had failed to provide users with enough information concerning their personal data rights and the way their data is processed. While Google attempted to appeal this fine in France’s highest court the following year in 2020, the court ultimately upheld the decision that was handed down in 2019. The GDPR’s handling of a massive corporation like Google is indicative of the stringent standards they are seeking to uphold.
Conversely, international clothing retailer H&M was fined 41 million USD by the Data Protection Authority of Hamburg for violating the GDPR. H&M was accused of monitoring several hundred of their employees in a way that proved to be intrusive. This intrusion includes a broad knowledge of employees’ personal lives outside of the scope of their job duties including everything from religious beliefs to family issues. Moreover, some H&M employees were required to attend return to work meetings after being on leave or vacation. Some of these videos were reportedly made accessible and viewed by over 50 H&M managers without the consent of the employees being recorded.
H&M claims they collected this information under the guise of evaluating employees’ performance in an attempt to make the most hiring decisions possible. Despite this defense, the GDPR ruling stated that H&M violated its principle of data minimization. In other words, a person’s personal data should not be processed and shared unless it is for a very specific and in most cases beneficial reason. Furthermore, this information should always be protected at all times and should never be used to make hiring decisions.
Why does the GDPR exist?
The GDPR exists because of the public’s growing concern over privacy. As we are weeks from the 3-year anniversary of the GDPR being passed into law on May 25th, 2018, privacy concerns have only grown during that time. According to the RSA Data Privacy & Security Report which surveyed 7500 people of varying demographics across France, Germany, Italy, the U.S., and the U.K., 80% of respondents said that losing their banking or financial information was their primary concern. Alternatively, 76% of respondents placed the loss of their personal data such as their driver’s license or passport as their secondary concern.
Additionally, public sentiment is changing regarding who should be held responsible for the misuse of data when it does occur. For many years, online fraud, in general, was associated with hackers or criminals who acted on their own accord for personal gain as opposed to a major company secretly watching videos of their employees. As consumers have become more informed and aware, they are now requiring that businesses be more transparent and responsive in the ways in which they store, process, and track personal data in the context of their operations. As trust has waned over the years, some consumers have resorted to their own countermeasures such as intentionally providing false information when signing up for online services.
How should companies go about complying with the GDPR?
In order to combat this mistrust, many companies must alter or draft new contracts with customers and third-party vendors. As many of these contracts were formed before the EU’s adoption of the GDPR in 2018, they now contain language and writing that would leave them susceptible to being out of compliance. More importantly, as many large tech and social media companies have come to view the personal data of their user base as an asset, there must be a conceptual rethinking of what a person’s identifiable data truly represents and the best ways to go about protecting it. There are redaction software options out there such as CaseGuard Studio that are currently in use across Europe. With CaseGuard Studio, EU corporations and companies can rest assured that they have the tools needed to avoid violating anyone’s personal privacy.