Businesses rely on user data to target their audience
Businesses rely heavily on user data to help them target not only the right audience but to also reach a wider audience. The data that these companies need entails personal information that could compromise a user’s identity if not handled well. Data protection laws have been instilled to protect users from this.
Here we share what it entails for companies to comply with an imposed data protection law.
What is GDPR and what does it stand for?
The General Data Protection Regulation (GDPR) was drafted and passed by the European Union (EU) in which it imposes obligations on organisations anywhere to comply, so long as they target or collect data related to people in the EU. This regulation applies to everyone regardless of where the website’s locations are. It must be heeded by all sites that attract European visitors, even if they don’t specifically market product goods or services to EU residents. These organisations need to become GDPR compliant or else, they can be fined for 4% of annual global turnover or up to €20 million (whichever is higher).
GDPR is considered to be the toughest privacy and security law in the world.
This is the highest-profile emerging data protection law in the world and there are 7 principles of GDPR that every organisation has to adhere to:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
According to the University of Highlands and Islands, “the GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data. The principles are at the centre of the GDPR; they are the guiding principles of the regulation and compliant processing.”
There are also 8 Basic Rights of GDPR that all organisations must comply with:
- The right to access
- The right to be forgotten
- The right to data portability
- The right to be informed
- The right to have information corrected
- The right to restrict processing
- The right to object
- The right to be notified
Superoffice gives a more detailed explanation of these 8 basic rights.
Who does GDPR protect?
The GDPR’s primary goal is to protect data belonging to EU citizens and residents. There are 3 ways that GDPR protects its citizens:
- Before collecting any personal information or any identifiable data from users, companies need to clearly explain what they will collect, how they will use that data, and who they will share it with. They will only be able to collect the data they need if they have received explicit consent for it.
- Once the company collects the data, the user can then ask to see, export, and delete said data. If it is compromised through data breach, the company must inform the relevant authorities within 72 hours.
- Companies and individual EU member states must put processes and resources in place to comply with the standard guidelines and policies. For companies, they need to dedicate data privacy officers, same as that of the member states, to dedicate data protection authorities to take responsibility in ensuring all these guidelines and policies are followed properly.
Why GDPR is required
The purpose of the GDPR is to standardise data security law on all EU members so that each member state no longer needs to create and write their own data protection laws. This in turn makes GDPR law consistent across the entire EU.
What is classified as a breach of GDPR?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data is classified as a personal data breach. This includes breaches that are the result of both accidental and deliberate causes.
The biggest GDPR fines of 2020 and 2021 (so far)
The standard of data protection set out by GDPR is very high and it requires a significant amount of money to become compliant.
Listed below are companies who have paid the biggest fines:
1. Google – €50 million ($56.6 million)
2. H&M — €35 million ($41 million)
3. TIM – €27.8 million ($31.5 million)
4. British Airways – €22 million ($26 million)
5. Marriott – €20.4 million ($23.8 million)
6. Wind — €17 million ($20 million)
7. Notebooksbilliger.de — €10.4 million ($12.5 million)
8. Vodafone Spain — €8.15 million ($9.72 million)
9. Google – €7 million ($7.9 million)
10. Caixabank — €6 million ($7.2 million)
11. BBVA (bank) — €5 million ($6 million)
12. Fastweb — €4.5 million ($5.5 million)
13. EDP Energia — €1.5 million (€1.83 million)
14. AOK (Health Insurance) — €1.24 million ($1.5 million)
15. Equifax Iberica — €1 million (€1.22 million)
16. BKR (National Credit Register) — €830,000 ($973,000)
17. Iliad Italia — €800,000 ($976,000)
18. Unknown – €725,000 ($821,600)
Google’s first penalty at €50 million was from 2019 and Google filed an appeal. In March 2020, judges at France’s top court for administrative law dismissed Google’s appeal and upheld the costly penalty. An additional €7 million was added in 2020. Source: www.tessian.com
ADISA – Data Protection company is UK GDPR compliant
ADISA ICT Asset Recovery Standard 8.0 was formally approved by the UK Information Commissioner’s Office – ico – in July 2021. With data protection and cyber security being a complex area, this new Standard can help fix one problem, which many don’t even know they have, which is how to dispose of retired assets and ensure regulatory compliance.
Any company with IT Asset Disposal as its business can evidence its service meets UK GDPR, once it is 8.0 certified.