The Sinking Feeling of Being Watched
A lot has been happening in the last few months around users’ personal data. The news was all around Mark Zuckerberg, CEO of Facebook, and the Cambridge Analytica hysteria. Although that was a tremendously big mistake from both parts, I deeply believe they are not the only ones who “played” unfairly with users’ personal and private data. If I would ever do a blog article on data manipulation by political, security, biological, social and commercial entities, I would have to perform several weeks and months of research to dig in for all the mess going on in this world. But no, this article is not about data breach, it’s simply about a new regulation introduced by the European Union (EU).
This year, starting with the 25th of May, the EU introduced the General Data Protection Regulation (GDPR) for data protection and privacy of individuals within the European Union. The law itself was adopted in April 2016 but only after 2 years of transition period became enforceable. The penalties for not being GDPR compliant are extremely high, but let’s get real: if state institutions would not force companies by super high penalties none of them would take this regulation too seriously. The urge of making more money is so big that it’s never about consumers’ privacy. It might not necessary be obvious to you but in almost every minute of your life when you are tapping or clicking on some sort of device like a personal computer, laptop, tablet, smart phone, smart watch or whatever that movement is tracked by somebody. Ok, if you are using private browsing then you might get away but in the majority of cases it doesn’t even cross our minds to setup a private browsing.
(Source of photo: uptimesolutions.co.uk)
There are a few interesting facts about the GDPR:
- This is a regulation, not a law, so it does not require national governments to pass any empowering legislation and this is directly applicable
- Non-European companies/legal entities need to comply as well to this regulation if they collect personal identifier information (PII) of EU citizens
- PII data is basically everything related to private, public, professional life of user, name, home address, phone, email, bank details, posts on social networking websites, medical information, computer’s IP address, finger print, retina scan
- This controls the export of personal data outside of the EU zone
- Each country needs to have an independent supervisory authority and all these authorities will be under the suborder of European Data Protection Board
- If a company is subject to the GDPR it needs to have a DPO, a Data Protection Officer who reports directly to national supervisory authority
- Data collectors who work or collect any personal data must be able to prove user’s consent by an opt-in for the data collected and for the purpose of using the data with the right of withdraw (even if it’s about a call center and the conversation is being recorded as per consumer’s consent at the beginning of call, if user changes his mind at the end of call he/she might request to deleted it)
- Users have the right to be forgotten, they can request to delete all their personal data or ask to anonymize it
- Users have the right to ask copies of their data in a machine-readable format so they can take it elsewhere, to a different provider for example
- GDPR was conceived especially for social network and cloud service providers (read: because of Facebook, Google, Twitter, Instagram, Pinterest, AWS, etc…, so for the BIG ones) but it applies for everybody
- If there is any kind of incident of data breach you must notify your users about this in the next 72 hours
- The penalty for not being compliant is €20 million or 4% of the annual global turnover of the company, whichever is higher
So apparently this sounds pretty serious which is ok I guess as all of us care about the security of our data, no more check boxes enabled by default to certain newsletters or services as that is considered a violation according to GDPR. Penalty is equal to enough money to sink a medium or smaller firm.
The sinking feeling of being watched explained by Madhumita Murgia
From now on our mail boxes should be much cleaner, no more unwanted newsletters, no more recommended products without our consent. Of course, this is a bit overblown concerning e-privacy but I personally do not see any other strategy how users’ data could be protected properly. Consumers who care about their privacy have the tool to manage their privacy, they don’t need any help from the government but still the majority of internet consumers do not know how to setup their privacy.
In this big advertisement ecosystem companies are tracking and monitoring their consumers’ behavior to be able to profiling individuals, in these cases users must provide their consent regardless of the type of monitoring. The most challenging thing is to have proper documentation for this, data protection policy has to be present on your website in a simple, common language so everybody can understand it. For companies outside EU it might be scary that from now on they can’t transport data out of EU or have access to it from outside of EU. With GDPR companies will have to seriously prove why a CEO for example logs in from US to check the DB. It’s similar also with clouding services, if you host your stuff up in the clouds you need to have proper documentation in place that you are legitimate to do so: who has access to your DB, you need to have the right controls in place, protocols, if all these are in place you can still get also the Privacy Shield to actually run your business.
(Source of photo: Pinterest.com)
Clearly this new regulation is reshaping the internet and how ads are running from now on, many interesting things will happen on the field of journalism or secret services. There is a huge dilemma around this on how journalists will mention private persons’ name in an article, how public figures will be handled by reporters and how GDPR can tolerate this. What we definitely do not want is to mark with red-pencil what a journalist can and cannot write or say. Human kind fought for decades for the freedom of speaking and the free access to information so let’s just hope that this will continue to be one of the saint basic human rights. As for the secret services, well…what can I say? Sensitive topic, if the institution tracks a terrorist’s phone I’m ok with that, but if it tracks my phone I’m not ok, not at all. Hard topic, so I would stay away from this aspect of life.
As you might have observed we did quite a few changes around our projects too. We updated our Cookie Policies, Terms & Conditions, Privacy Policies, we added opt-out functionalities, we performed penetration tests for security reasons on HELGA, we documented anonymization procedures, we started working with a QA testing company who makes sure nothing gets published without being tested, etc. We do care about your data, it’s been one of the highest priorities for Autofactor. Developing safe software makes your business secure so this is another great motivation for us to continue this journey.
(Source of thumbnail photo from listing: Gatewaytovictory.wordpress.com)