Making sense of the GDPR
What is the GDPR?
The General Data Protection Regulation (GDPR) is a set of European laws that govern how the user data of a company is collected and used. These laws prevent data organisations from accidentally or intentionally misusing the data of their users (cue the Mark Zuckerberg case where millions of Facebook users in the US had their data stolen by political consultancy firm, Cambridge Analytica — awkward).
What is user data?
When we refer to ‘data’ we are referring to personal information a user enters when they first sign up to a website. Facebook is a great example of this. During the sign up process you are asked questions like what is your name, your email address, your D.O.B, gender and so on. This may seem like irrelevant information, but this data can be given to third-party services to help advertisers target users.
Who wants access to this data?
User data can get personal, real personal. Especially when it involves your bank details, medical information or computer IP address. The worst part? Once data is leaked, there is no way to get this data back. Now you are probably asking yourself, “who could benefit from such data?”. Valuable user data can be sold on the dark web for a large price. Usually a “broker” will purchase this data and sell it onto a “carder”. The “carder” then uses the credentials to buy gift cards to stores like Amazon.com — essentially anything that cannot be traced. These gift cards are then used to purchase items such as electronics which are resold on eBay or the dark web.
Who is affected by the GDPR?
Why should organisations comply?
Non-compliance with the GDPR can result in hefty fines for large corporations. The kind of fines that send these companies bankrupt. GDPR fines can go up to 20 million Euros or 4% of your annual global turnover, whichever is highest. Small businesses are no exception and will receive the same fines for any type of data breach.
How do I protect my company from these fines?
The main thing to remember is that you need to allow an individual to make their own privacy decisions and consent on any data collection. As expressed in the Australian Privacy Act, the four key elements of consent are:
· “The individual is adequately informed before giving consent”
· “The individual gives consent voluntarily”
· “The consent is current and specific”
· “The individual has capacity to understand and communicate consent”
Photo by Debby Hudson on Unsplash