Big school of GDPR by ICTbusiness portal – Lesson 1: Impact on Society and Business
The new rules on the protection of personal data, whose application begins in May next year, brings about major changes in society. Control of personal information is given back to their owners. The rights of EU citizens in the field of personal data protection are increasing, along with the obligations of all those who use this information.
Protection of citizens
Electronic identity theft is the most obvious way of abusing personal information. We all know that credit card information is confidential, but personal information and electronic identity are much more than that. As it usually happens, what we see is just the tip of an iceberg. By processing large amounts of personal data, people can be profiled, spied, their movement, behavior, thinking predicted, behaviors of an individual, as well as behavior of mass can be affected. Big data technology boom happened largely thanks to their application in profiling based on personal data. Of course, organizations with large databases such as telecom operators, social networks, insurance companies, banks, utility companies, are at the helm... Personal data have become the sought-after goods for which many are willing to pay the asked price. Personal information databases are sold, stolen, transmitted through job changes... How would you feel if you knew that your name, security number, address and phone number, even a copy of your ID, along with those of thousands of others, have ended up on a USB stick sold by an unsatisfied employee of the company you trusted this information with, for, let’s say, 1,000 euros? Sales agents who call us on the phone, and even know our names and age group have become a common occurrence. Where did they get that information? Ask them.
Someone has had to end this. The new EU regulation has decided to protect a small man and give him back the control over personal information. And it thinks seriously!
What's changing for a common man?
If, for example, you open a user account on some Internet service, you will also need to have an option to close the account. Your personal information collected by the service will be available in a comprehensible electronic format, and the service will have to delete all your personal information if you do not explicitly allow them to keep it. This applies to any organization you have provided your personal information to. Of course, unless another, more specific law does not regulate differently. E.g. you cannot ask your former employer to delete all your personal information because the employer is responsible to keep payroll data. Also, you cannot ask the bank where you raised the loan to delete your data if you have not returned it yet. The information you give may only be processed for the purpose you gave them for. Signing of a service contract may not be conditioned by any data or privileges for processing that are not necessary for the service you contract.
Not only will the data collection and processing need to be explicitly allowed, but the data will also have to be well protected, so only those employees whose job it requires, will have access to your personal information, in accordance with your permission.
What does this mean for companies and state administration?
Harmonization with GDPR is a very demanding task from an organizational, and even more from a technical point of view. In companies that build their business models on intensive personal data processing, alignment with GDPR requirements could have a big impact on business results, while neglecting this obligation could result in exceptionally high penalties whose cost will only add to the cost of alignment. Target sales business models based on illegally collected personal information will disappear.
Most companies (including the state administration) have no choice. There is only one year left for harmonization. This is roughly the average implementation time in a medium sized company that does not build its business model on customer profiling. So, telecoms, insurance companies, banks, travel agencies and many others are already too late.
What if we're late?
Until a few days ago, the general opinion was that the penalties would not be as rigorous as the Law prescribes, that the regulator would be gentle and would first warn the offenders. This may be true for those whose offenses are minor. The European Commission has recently made it clear that there will be no mercy for the others. The fact is that Croatia has not yet established a body that would be responsible for verifying violations and charging penalties, but we have had the opportunity to see that it is simply not necessary. The EUR 110 million penalty that Facebook recently got was prescribed directly by the European Commission. Although based on a completely different regulation, this penalty is in essence prescribed due to the provision of false information on merger with WhatsApp. On that occasion, Facebook had said that personal information of user accounts cannot be merged, and two years later they did just that. They merged WhatsApp accounts with Facebook accounts. The European Commission reacted almost promptly and imposed a EUR 110 million fine; 0.5% of total Facebook revenue globally and 50% of maximum possible fine prescribed by the companies' merger regulation. So, if an EU country fails to penalize the offenders, it is obvious that EC will do it directly. The Italians seem to have quickly realized where the wind blows, and only a couple of days later, for that same offense, they penalized WhatsApp and 3 million euros went into their own state budget. Better to go into the Italian budget than to Brussels. The European Union has decided to protect the privacy of its citizens. The offenders will get deserved penalties that will fill up budgets of the member states. Even if some choose a softer policy, the European Commission will not do so.
If they want to continue doing business, the choice for companies is very simple. Either they will align their businesses with the GDPR requirements, or they will pay a heavy penalty and in the end align their business with GDPR requirements.
What about the state administration?
Ministries, local administration units and other budget users seem to be in a particularly favorable situation. Namely, charging a penalty to a budget user, who will pay that money into the state budget, does not make any sense, but ...
According to the currently available information, the state administration bodies that violate GDPR may get a "negative opinion" of the monitoring agency (in Croatia it is likely this will be a successor of today's AZOP with increased powers). Such a penalty is in great disproportion to the penalties that are foreseen for the economy. The Regulation therefore provides for the possibility for Member States to further develop local legislation. Among the first to go in this direction is Germany, which for some offenses in this area also foresees a prison sentence of up to three years. We believe other members will follow this example, and the prison sentence has always been a good incentive for responsible people to do everything they can to comply with the law, especially in case of budget users.
Which budget users and public companies are particularly exposed? Given the structure of Croatian GDP, tourist boards that collect EU citizens' personal data are surely at the very top, along with this entire economic branch. There are utility companies, Croatian railway, local administration units, and others.
How to start?
Harmonization with GDPR starts with knowledge. The first step is to become familiar with the requirements and to train the internal team. Who will be in it? Typically, a person responsible for the protection of personal data appointed by the Management Board or a member of the board of directors who will be in charge of this function, an information technology manager, a lawyer and HR manager, but above all there will be managers of all business processes in which the company accesses or processes the personal data. Sales? Business intelligence? Depends on the nature of the company's business. Read, ask, educate yourself in dedicated training, engage in online discussions, attend professional conferences, and of course follow the Big School of GDPR by ICT business portal.