Where are we living?
The violation of the right to privacy, irresponsible behavior towards personal data and their misuse to generate profits, and at the cost of causing an individual's damage, has become the business practice of many. Technologically advanced companies such as those in the telecom and banking sector, and innovative startups that today offer public services to millions, and even billions of users, brought the processing of personal data to perfection. Advanced analyses of huge amounts of personal data enable profiling, targeted sales, tracking, prediction of behaviors, influencing the behaviors of individuals, groups, nations, generations ... In the struggle with this globally recognized business-political opportunity, let us be realistic, ethics stood no chance.
Gartner argues that data analysis has become more and more the strategic determinant of most businesses and business functions where every business is an analytical business, every business process is an analytical process, and every employee is an analyst. Marketing can no longer just deal with branding and placing ads, but it must analyze buyers. The same applies to HR, procurement and financial functions in most industries. Anyone who has large amounts of dana, is trying to make a market advantage through advanced analysis, and often does not shy away from intruding into privacy and other imaginative ways of misusing personal data.
Do you still think the penalty is too high?
Do you have a child? Over 92% of computer games are sold today through digital distribution services. Have you heard about Steam, Origin, uPlay ...? These are platforms for buying and licensing computer games. Most children today have an open account on at least one of them. These platforms know what games your child loves: violent, arcade, knowledge games ... They know how much your child plays which kind of game. Children are offered special discounts that can be based on an analysis of their interests. Perhaps this at first glance looks harmless, but psychological profiling and careful encouragement to play some kind of game on this platform can encourage the development of militancy or intelligence, aggression or amicability. And that's just the beginning. Modern games face children with moral dilemmas and collect information about the decisions that children bring. Will your kid in the game kill a sister or save a friend? Will his decision depend on skin color, sexual orientation, or religion of the victim? Will he choose a fast or particularly violent death? Children may unconsciously be exposed to psychological profiling during the game.
Such activities may only be carried out to improve the gaming experience, but what would happen if the psychological profiles of hundreds of millions of children would leak into the public because of irresponsible behavior of the company and inadequate security controls? Is the profit that a company creates by selling games worth that risk? What would happen if such a company would sell the psychological profiles of children? What if it plans to promote the aggression of entire generations in certain regions to achieve political goals? The toy industry is just one of many examples. Add here financial institutions, telecommunications, pharmaceutical companies, hospitals, state administration ...
Do you still think that 20 million euros or 4% of total annual income is too high a penalty?
Financial and prison penalty, plus indemnity
The amount of penalty for breach of GDPR provisions depends on several factors that you can prevent more or less. In the event of a leak or disruption of the availability and integrity of personal data with consequences for their owners, it is very likely that the competent authority will initiate an investigation to determine the magnitude of the incident, its impact, and the cause. The height of the penalty ranges from a usual warning, up to 4% of the total annual income, or 20 million euros (which is higher). Although we do not yet have a new Personal Data Protection Act that will most likely prescribe prison and fines for responsible persons, the current Penal Code provides for up to 5 years of imprisonment for unauthorized use of personal data. In addition to penalties, the organization is also required to compensate for the damage caused by inadequate use of personal data.
Given that personal data is processed automatically in large quantities today, damages that may arise will largely be caused by unauthorized processing of personal data, which means that the individual damage will be multiplied with the number of injured persons. An individual damage of 10 euros, on an example of an average Croatian telecom with a million users, would reach 10 million euros. The amount of data in the health care system is far greater, as well as their sensitivity and potential damage. There is no need to list further. And we could.
15 tips to avoid penalty?
The penalty will be proportionate to the damage caused, i.e. the recognized risk of damage (if the incident has not yet occurred). Here's what you can do:
Provide unlimited support of the management board to ethical management of personal information.
Do not collect, store, process or transfer personal data when it is not really necessary.
For every handling of personal data, ensure the appropriate foundation (legal requirement, provision of contracted services, consent).
Keep personal information in as few places as possible, and always know where they are.
Make sure the personal data is adequately protected for as long as you are responsible for them, and this applies to your partners as well you give them for processing. Be aware that this is the most important element of GDPR ("DP" in GDPR means Data Protection).
Always look at personal data processing through the prism of ethics.
Intensify your awareness of the value of personal information and the need to protect them, educate yourself, and keep track of privacy-related issues.
Integrate the assessment of the impact of personal data protection into your daily business.
Provide for personal data owners a transparent insight into how they are used them and a full control over their personal information. The right to being forgotten, portability, correction and objection must be integrated into all information systems.
Pay special attention to the protection of personal information outside production information systems (in BI systems, test systems, development ...).
Appoint a person responsible for the protection of personal data (DPO) and give them the appropriate powers, responsibilities and resources regardless of whether or not the GDRP Regulation requires it from your organization.
Establish communication with the competent authorities and collaborate during investigations.
Establish an internal organization for the management of personal data security.
Educate yourself to be able to recognize security incidents and establish incident response procedures including reporting to competent bodies.
Certify your personal data security management system.
If you apply these tips to your business, you will significantly reduce the chance of incidents or misuse of personal information. Even in case an incident arises, the competent authority will take into consideration your effort when determining the amount of the penalty. Systematic neglect of personal data security, negligence, and especially the unethical application of personal data to gain profits, are a sure way to get a maximum penalty.
For the end
Through the ten lessons of the Big School of GDPR, we tried to bring you closer to the reasons behind the introduction of the General Privacy Directive, its content and impact on business, as well as the society. We tried to go through the basic phases of alignment and provide answers to the most common concrete questions. If you still have some question, please contact us. We will provide the answers of the most competent experts and publish them on the ICT business portal. Loyal readers of this school these days have received the first issue of GDPR news. Designed to raise awareness, follow trends, changes in the regulations and provision of specific information in the area of personal data protection, this newsletter is published by the leading GDPR consulting firm in the region, Ostendo Consulting. These news as well as the Big School of GDPR aim to increase the availability of information on GDPR, and to provide concrete advice in the process of alignment. You can subscribe here.
The Big School of GDPR was provided by ICT business and Ostendo Consulting.
Large poster with a list of 137 GDPR requirements and recommendations
To download for free the large poster with a list of 137 GDPR requirements and recommendations, you must complete all fields in the form, after which the download of the document will be activated.
When the largest amusement park in Germany, Europa-Park, began constructing its new Croatia area, it found inspiration in Rimac hypercars and technology for its new rollercoaster – the Voltron Nevera Powered by Rimac.
Following the end of the public delisting acquisition offer for Telefónica Deutschland, Telefónica holds approximately 96.85% of the shares in its German subsidiary.
Infobip Shift Miami, the American version of the Croatian developer conference, this week brought together a diverse technology-sector audience on the shores of Florida.
