GRC Tuesdays: Your Personal Data as a Consumer
How secure is your personal data? Have you ever been worried about how your personal data is used? Is your name and address “for sale” for new mailing lists, either physical or digital?
In college, I knew of fellow students who would purposely misspell their names on any application, for example when signing up for a video rental company. In theory, that person would only receive mail from the original video rental company. However, usually in less than a month, there would be a flurry of new advertisements in the mail, all misspelled in the same way as on the original application. It seems that personal information was for sale, even decades ago.
These days, many people are more aware when it comes to disclosing personal information. Yet there is a dichotomy between social actions—on the one hand, publishing your own personal data on various social media forums, and on the other hand, the desire to keep your private information, well, private. So where do we draw the line? If your friends “share” your posts and pictures without your permission—well, then you need to revisit your friend list, or your own privacy settings (to use the terminology of one social network, just “friends” and not “friends of friends”). Most will agree that we don’t want the owner of any social platform to re-use our posts for sale, for advertisement, for any reason, unless we consent. If the platform is a purely public platform, then let’s face it, we do not necessarily have control of what will happen to our posts as stipulated in user agreements.
Then we have the situation where data is being collected without our knowledge. If you browse certain sites, suddenly you will be presented with advertisements relating to your recent searches, even when you visit other sites. Correlations are made between browsing and buying behaviors across different users. And you don’t even need to be logged into a site as a user for that to happen.
Let’s take this a step further.
The Future Starts Now
GDPR (the General Data Protection Regulation, initiated by the European Union) applies to an “EU (European Union) data subject” or a “natural person.” In short, EU “data subjects” must consent to their information being collected. They should be informed for which specific purpose that information is collected and used (online payment of a purchase doesn’t mean automatic enrollment in a newsletter blast), and they should be given the right for their information to be deleted upon request. And they must be informed of any security breaches within 72 hours.
Who, as an individual, would NOT be on board with that?
So is this the end of signing up for loyalty cards for that coveted 20% discount? What about the marketing efforts of companies that aim to show you products that are actually relevant to what you purchased in the past? Or earning points on your purchases, such as at that nice European hotel you just booked??
It’s not necessarily the end of such perks, as long as these companies have your consent. Companies are required to be explicit and clear about what data they collect and why. Say goodbye to the 20-page disclaimer forms with fine print.
Who Is Protected under GDPR?
I won’t attempt to define who an “EU (European Union) data subject” is—it’s a definition that needs the council of your legal department. Yet the deadline for the implementation of these privacy protections is past due.
So I will say that, in general, GDPR applies to citizens of the EU and residents of the EU, plus all transactions that occur in the EU (either physically or online). Companies doing such business with EU data subjects must comply with GDPR. Ordering from an EU country, or taking delivery of an item shipping from or through an EU country? GDPR may also apply. Paying with an EU credit card? GDPR may apply. Company data is transferred or stored in an EU country? GDPR may apply. Accessing a non-EU website while traveling in the EU? GDPR may apply.¹
There are various interpretations of whether an EU citizen, who is not residing in the EU and submits personal data or transacts business outside the EU, is covered. For example, what about the EU citizen who has a loyalty card for a local (non-EU) coffee shop and purchases coffee there? Does the coffee shop need to comply with GDPR? Well, ultimately as an EU citizen, in this scenario the EU citizen still has the right to have their data deleted at will, so in the broadest application, GDPR may still apply.¹
Let’s be realistic from a company’s standpoint. In an increasingly global economy, it’s very likely that each and every company will have dealings with an “EU data subject,” if not now, then very soon, be it a customer or an employee. From an implementation standpoint, having one consistent processes related to privacy, regardless of whether or not you are dealing with an EU data subject, ensures standardization and therefore reduces errors. Implementing a process only for EU data subjects would make it necessary to collect citizenship and potentially Visa status information, which is highly sensitive personal data.
Ultimately, each company needs to engage their legal department to determine how to best use the available systems tools to meet the GDPR requirements. Think of it as being similar to a chart of accounts—while the tool is made available from a systems standpoint, each company needs to determine how to structure their own chart of accounts to meet legal disclosure requirements. Meeting GDPR requirements is the same: the tools are available, from access and process controls to data management, but legal departments need to be involved in how policies are implemented.
Privacy Regulations Continue to Expand—California Leads the Way
GDPR is not the only kid on the block anymore. California has just passed the California Consumer Privacy Act of 2018, which will go into effect in 2020. It applies to for-profit companies, with particular minimums of revenue and of volumes of customer data stored and sold. This act gives consumers the right to know what information is collected, the sources of that information, how it is used including how it may be sold to third parties, and the right to have that information deleted. Of course, details will be worked out in the next year, but again, companies should consult their legal departments.
If processes, systems, and data streams are all defined and implemented according to the most stringent requirements, meaning they are GDPR-compliant and compliant with the California Consumer Privacy Act of 2018, then all individuals benefit with a protection of their private information. And it’s likely that there will be similar laws enacted in other regions and states going forward. Complying is not optional, as there are significant fines for companies who do not do so. And while there is a scramble at the moment to ensure all systems meet these requirements from a company perspective, the overall intention is a good one.
Privacy is important to everyone. Especially to you.
- Read our other GDPR-specific blogs.
- Check out SAP’s GDPR webpage for resources and information about which SAP solutions and services could help you govern your GDPR program and manage and protect your data for sustainable GDPR compliance.