We all love the internet, from shopping to banking to entertaining ourselves with random browsing. But do you know that each time you access a website, you leave a digital footprint? From a company’s point of view, this is all good. Information like gender, location, interests helps businesses create a digital profile for customers. And while most companies only have the best intentions in mind (i.e. provide a more personalized experience), gathering information without a safety net exposes personal data to various risks.
The dread of data breach prompted institutions around the world to adopt legal measures that secure information from compromise, corruption, or loss. Perhaps, none of these laws is as widely known as the General Data Protection Regulations (GDPR). But what exactly does GDPR do, and how is it different from other privacy laws such as the UK’s Data Protection Act? Why is it important to understand these laws in the first place?
What is the GDPR?
The General Data Protection Regulations (GDPR) is a legal framework that provides rules on how companies, governments, and other institutions can collect and process the personal information of individuals who are residents or citizens of the European Union. The regulations apply to all organizations that handle personal data of EU citizens, even if such organizations are outside the EU.
Proposed in 2012, GDPR is an update and revamp of the limited security standards of the 1995 Data Protection Directive. The European Parliament passed GDPR regulation act in April 2016, but the law did not take full effect until May 25, 2018.
Under GDPR guidelines, companies should get the customer’s approval before they can process the data. The customer has the right to know what information the companies collected, why it’s collected, and with whom they will share it. Companies should not ask for unnecessary data or store any for longer than needed. Customers have the right to request for correction and removal of any inaccurate data.
More importantly, the organizations should have appropriate security protocols that protect the information they store. In case of a breach, the data controller should notify the relevant authorities no later than 72 hours. Also, organizations that handle data on a large scale or those that manage sensitive personal information, such as medical records, must hire a Data Protection Officer.
Large companies that fail to comply with the regulations can face a fine of up to €20 million or four per cent of their overall yearly revenue, whichever is greater. For less severe violations, the penalty is slightly lower, around two per cent. In 2019, Google paid a staggering €50 million for failing to provide users with accessible, clear, and transparent information about its data consent policies.
What is the Data Protection Act?
The Data Protection Act is a British national law that governs the processing of personal information by all public and private organizations, businesses, or the government. The Data Protection Act of 2018 is the third and most up to date of the UK’s data protection laws. The new act supersedes the older data protection laws of 1998 and 1984.
The DPA regulates the handling of personal data, protects individuals’ rights to privacy, enables the Data Protection Authority to impose rules, and holds non-compliant organizations liable to penalties. The Act sets guidelines for data sharing and security, as well as provides stricter protection for more sensitive information such as ethnic background, political opinions, religious beliefs, physical and mental health, sexual life, and criminal history.
Emphasis on individuals’ rights is one of the highlights of the DPA. The Act ensures that individuals have the right to know what information companies store and how they use the data. Individuals can also compel companies to remove or rectify any inaccurate, incomplete, misleading data on file. Furthermore, individuals can either restrict organizations from processing their information or allow them to reuse the data for other services.
The DPA carries fines up to £500,000 for serious non-compliance. In 2019, Facebook paid the highest fine possible for its role in the Cambridge Analytica Scandal.
What is the Difference Between GDPR and the Data Protection Act?
Now, isn’t the DPA a duplication of GDPR? Don’t the two legislations overlap? While GDPR aims to strengthen and standardize data protection protocols across the European Union, it also allows members to adjust aspects of the legislation to make them applicable in their countries. The UK needs to comply with the policies of the GDPR; however, it can make minor changes as it deems fit, particularly in legal proceedings and national security.
The modifications made by the DPA to GDPR resulted in differences, some subtle while others not so, between the two legislations. Under GDPR, the age a child can consent to data processing is 16, while in the DPA, it is 13. GDPR also has a broader definition of personal identifiers, which include IP addresses, internet cookies, and DNA. In processing criminal data, the GDPR requires that the collectors should be persons with official authority, but not so with the DPA.
The GDPR states that individuals have the right to restrict companies from conducting automated decision making or profiling; however, the DPA allows the practice as long as the organization has legitimate grounds for doing so and safety measures are in place. The GDPR prioritizes individuals’ rights concerning the handling of their data. The DPA, however, may dispense with these rights if compliance with them would seriously hamper an organization from gathering data for scientific, historical, and statistical purposes.
In short, GDPR sets the base rules, while the DPA tailors how these provisions apply to the country by adding requirements or providing exemptions. Therefore, the DPA is the UK’s enactment of GDPR.
Why Do Your Employees Need to Know This?
Both GDPR and the DPA are serious guidelines for protecting the personal data of customers. Extremely serious that established companies such as British Airways and Marriott International are facing staggering fines, €200 million and €99 million respectively, for failing to comply with the security policies that led to a breach of data.
Because the World Wide Web is an indispensable aspect of running a business, there is no way around this legislation. After all, we live in an age when information is a valuable currency. But while the GDRP and the DPA pose challenges for businesses, they also create opportunities.
Being GDPR and DPA compliant increases customer’s confidence, which in the long run, increases your company’s profit. Compliance starts with personnel who understand the principles of the GDPR and the DPA. Be sure that your employees undergo GDPR compliance training in these legislations. A survey reveals that businesses who show they value their customers’ privacy, who are clear about how they use personal data, and who put clients at ease with reliable security measures have higher customer retention.