“If we don’t act now to safeguard our privacy, we could all become victims of identity theft.” – Bill Nelson
Privacy is not an option, and it shouldn’t be the price we accept for just getting on the Internet. The words of the technologist Gary Kovacs, somewhat describes the standpoint and efforts of the GDPR compliance issued to companies, organizations or businesses for the benefit of online and offline users or beneficiaries of goods or services.
What is GDPR?
The General Data Protection (GDPR) is a standardized user data protection framework which operates across Europe and Imposes obligations on many organizations that handle personal data of people in the European economic area.
Privacy is a very important and critical aspect of many organizations and the method of management of data accessible by organizations often determine the growth and success of those businesses.
All organizations could learn a lesson or two from the world’s leading social media network, Facebook. In first quarter of 2018 Facebook faced a lawsuit over privacy violations, a data breach crisis that affected an estimate of 87 million of its users. A disaster of this magnitude could cripple any organization and make it run out of business, especially when there are financial implications. The GDPR compliance is therefore a very critical aspect that helps guard against the breach of data privacy.
Privacy Protection by the GDPR
Some of the types of privacy that the GPDR protects include the following:
- Basic identity information such as name, address and ID numbers.
- Web data such as location, IP address, Radio Frequency Identification (RFID) tags and cookie data.
- Biometric data.
- Health and generic data.
- Racial or Ethnic data.
- Sexual orientations.
- Political opinions.
These sum up the major areas of privacy protection for however, the GDPR compliance extends beyond the above listed areas of data privacy and certain companies are affected by the GDPR compliance. These companies are majorly those that process or store personal information about EU citizens, including EU states who do not have businesses within the EU.
Statistical Insight and Impact of the GDPR
The compliance for all affected industries and companies took effect from the May 25, 2018 and the cost of compliance has been estimated for many organization to be in millions. Early forecast by PWC gives an estimate that about 1 to 10 million will be spent to meet the GDPR requirement, but recent survey by Propeller Insight in March 2018 shows that companies may actually spend less than 1 million.
According to survey conducted by the Propeller Insights 2018, the following industries are most affected by the GDPR, with statistical information about their percentages: The technology sector (53%), Online retailers (45%), Software companies (45%), Financial Services (44%), Online Services (37%) and Retail/ Consumer packaged goods (33%).
What Businesses Should Know
As much as compliance is required, there are critical things that must be examined and understood for companies to effectively implement these changes.
In most organizations, the Data Controllers, Data Processors or Data Officers (DPO) are responsible for ensuring compliance. They are the internal groups that maintain and process data records or any outsourcing firm that performs all or part of these activities. The Data processors are always held liable to any breaches and this may include processing partners as well such as cloud services.
In addition, client contracts need to reflect the regulatory changes and these include forms, online click through or formal agreements where commitments are made on how one accesses, views or processes data. So Business leaders, IT and security teams must understand how the data they need or use is processes and agree on a compliant process for reporting, before contracts are revised.
Today, many affected organizations have implemented or are in the process of ensuring their organization complies to the GDPR regulation. Many design and tech organizations have these new changes implemented already, such as Design Organizations, Marketing Companies, News and Email Service Organizations etc.
Case Study: Canvas GDPR Compliance
“Canva” the design company for instance, is currently investing in features that help users easily manage and access their information within Canva, with more public information provided as the new features are made available. The also are working towards ensuring that there is transparency about how they collect user information, what it is used for and how it is kept safe.
Canva in its efforts towards the GDPR compliance also disclosed that negotiation efforts (with its third party suppliers such as “Amazon web services”) and contracts have been set in motion. Canva may share personal information with their third party or service provides who assist them with specific functions. Such functions may include: Billing information, Customer support and Customer Management, Email Services, Hosting & Storage, Analytics, Delivery of physical goods etc. All of these process are being reviewed with third parties.
In the areas of amendments requirements, Canva is making the required arrangement for data processing agreement with supplies. Canva has also disclosed that they recognize that user data largely involves their role in being able to improve internal controls around employee access to data and data security incidents and are putting measures in place to ensure that user data remains safe.
Even though these new changes are likely to impact the way users interact with the design platform, Canva has assured its users that they would still be able to sign up and design anything freely, as well as publish their work on any platform of choice.
Ultimately, we recognize that privacy regulation and regulatory bodies exist to ensure that both parties (organizations or service providers and users) have a mutually beneficial relationship that keeps business moving for companies. This also ensures that users or subscribers can benefit positively from free or paid services they engage without a breach of their privacy, a violation of their trust that could potentially cause users harm in various ways asides the huge consequence of a potential lawsuit and more for the companies and or third parties responsible.
Kindly share with us in the comments section below, what processes or steps your organization has taken to comply with the GDPR regulation.