general data protection regulation
Written By Paul Arnesen - July 15th 2019.

General Data Protection Regulation - GDPR

GDPR is the latest privacy regulation that has made an impact on how companies deal with the personal data they collect. When launched on May 25th, 2018, it was the most significant privacy update in decades, but we still have a long way to go to ensure proper protection of personal data. We still need to see better ePrivacy regulations as our digital identity is now a commodity that is being monetized.  

The GDPR was a necessary update to an old and outdated privacy regulation, not adequately enforced by the EU countries. Before the GDPR is was the data protection directive, established in 1995 - That is a long time ago.

1995; the world has 5.7 billion people, a devastating car bomb wrecks terror in Oklahoma, Microsoft releases Windows 95,  around 15% owned a mobile phone. Feeling old yet?

How did we perceive data back then?

What was digital identity in 1995? Personal data was something that you cared about,  at least not if you lived in a democratic society. Your data was kept by your doctor, your bank, your employer, insurance companies, and official offices. They were bound by confidentiality and general trust in democracy. The number of home computers was minimal as the cost of one was usually a considerable investment. Also, the internet was something many still hadn't installed or had access to. Other devices connected to the internet was, therefore non-existent, electronic privacy was something new, and it became more critical as it was the beginning of e-commerce and other online transactions. It was growing, butJeff Bezos was still shipping books from his garage.

The common denominator was that society was still virtually offline where your privacy was first and foremost in danger of being abused by the official capacities you trusted.

Now, over 24 years later, we spread information all day, every second, knowingly and unknowingly. So we trust almost anyone with our data.

Lack of focus affects.

The consequence of this reckless sharing of data is that the number of ways and people and institutions willing to exploit this weakness is never-ending. We lack an explicit acknowledgment and understanding of how and for what purpose we share information. 

Today 1 in 3 businesses have not made any effort in ensuring that personal information is protected. At least some companies are making some advances, but it was not because of the old and outdated data protection directive that was implemented back in 1995. Some companies, due to the nature of the data they did collect have been more proactive as they already did have a data protection officer or similar employed. Most companies are small and medium where personal information is not a concept they ever considered to be of any importance.

Increased data sharing and misuse of personal data are costly and dangerous for those affected. It was evident that something had to be done to protect our personal information and to encourage companies to make data protection a vital part of their operation. The solution was to update the data protection regulation, and it was then the EuropeanUnion implemented a new regulation, the EU General Data Protection Regulation or just GDPR.

Whom does it cover?

If you operate a business in a country that is a member of the EU or the EEA, you are automatically required to comply with the GDPR. Besides, if your company is collecting personal data from EU citizens, no matter where you are based worldwide, you are bound to protect those citizens data as per the regulation. Any non-EU/EEA company might have appointed an EU-Representative to oversee this.

To be clear, if your company collect and processes data on other people, then you should understand and comply with the regulation. For some, it is as little as having someone’s contract in the office cabinet or if your email contains communication that has personal data. For example, in B2B relationships, where customer data often contain sensitive info, it is increasingly important. These are all examples where your company needs to ensure proper privacy practices in your company. If you are a business with few employees, or the business is just you, you would need to get appropriate GDPR training and understand the dangers of lacking knowledge about the regulation.

In other words; It has nothing to say if you run a multinational with thousands of customers in the database. If you collect data about other people, you are required to follow the GDPR.

Why, what, how, where, when and who.

A right way of looking at understanding the general data protection regulation is to try to answer the why, what, how, where, when and who in the context of your company’s data collection and the personally identifiable data (PID) that is stored. 

Why do you collect data?
What are the reasons for saving PID? As soon as you understand this, it is easier to see which regulations, policies, and rules apply to you and your business.  For example, in terms of what kind of data you are allowed to obtain, whether you need to request specific permission to collect some data, and whether you have particular requirements that the customers need to comply with under a contract. 

- What kind of data do you have?
Data you can be, for example, contracts with customers, files on employees, buyers, and potential customers. How many years you have been active in the data collection means that the job of mapping what kind of data you have is heavily resource demanding. If you also take into consideration different special categories of data, like data on children, information about someone’s health or criminal record. You would have to scan through years of archives and ensure that you know what data you have before you can start the data mapping process. 

- How do you collect data, and how do you treat it?
Are you requesting permission to obtain the information you need from a customer? Are you asking for specific consent to collect their name, email, and phone number? Do you use the data you had received in ways you had not informed the users about at the moment when you collected it? Are you honest in your privacy policy – do you do what you say? This must be correct and truthful. One mistake in the way your data is being treated can lead to minor misinterpretation and underestimation of the requirements for GDPR, which in essence might be a breach of the law. 

-Where do you access data and where do you send it?
Drawers and cabinets, email, cloud servers, or hard drives? Today, we mostly store everything electronically, but there is still much information that is stored in physical filing cabinets stored around in basements and storage rooms. And what if you outsourced parts of your business outside of the EU? Do you have access to that data, and subsequently that PID? Maybe your company uses external servers to store data, where are they located, and what is on them?

There are many pitfalls here, so it is essential to ensure a good overview and map it out. 

- When is data relevant?
Are you storing on decades-old personal data that is no longer relevant? Is there any of this data that is so old that laws and regulations have made it illegal for you to continue to store it? Did you have permission to retrieve that data when you got it? Are you requesting permission for that data? 

- Who is responsible for personal data?
As a business owner, you must take responsibility for protecting all the info you collect. Do you use a third party to help you, or have you outsourced data processing to another company? Check internal routines and make a map of who has what responsibility. If you have shareholders, make sure they understand their role and responsibility in this and that they can be liable for a data breach.

Start Today!

May 25th, 2018 was the day the GDPR went into effect. Moreover, many companies have faced monetary consequences for their mismanagement of PID, and for many, this can be devastating, not only financially, but also in terms of their reputation. 

If you haven't made an effort, we cannot stress enough the importance of starting to learn and understand what the GDPR is for your business. It would be best if you were well-equipped. Start with you if you are the owner, then ensure that the entire organization gets on board.

Please feel free to contact us if there is anything you are wondering about. Privacy is no longer just something you have to follow; you have to make it a vital part of your business.

reddit share buttontwitter share buttonlinkedin share buttonemail share button

Want to know more about GDPR or other privacy topics?

Check out our Privacy Services section.

You can also contact us directly for any questions.

Last update 15. July 2019


Privacy Devices