Several technology organizations in the world have been successful in becoming compliant to various quality and security management standards. They have not only achieved compliance, but have also successfully upheld those standards relentlessly over the years.
As time elapsed, interaction between industries and the communities they influence has increased massively. Now this interaction is not limited to the local community. It has become truly global, as people anywhere on the globe can receive and transmit information (including their personal information) to the organizations with whom they are interacting.
Recently however, as compared to the previous times, people and organizations have started giving high importance to the privacy of their clients’ data and organizations are compelled to build their security systems to protect this information.
General Data Protection Regulation (GDPR) is a regulation that was adopted on 14th April, 2016 after four years of preparation and debate by European Parliament. This regulation will come into effect on 25th May 2018, and is applicable to organizations anywhere in the world, which collect or process personal information of EU citizens. EU parliament has approved privacy as fundamental right of their citizens.
Controller is an entity, which decides, what data is collected, why it is collected, where and how it will be used and how it will be processed, while processor processes this personal data on behalf of the controller.
When we refer to personal data, we must know, what comprises personal data or private information. Any information of a natural person, which can help identify that person, directly or indirectly- a name, a photo, an email address, bank details, posts or social networking websites, medical information, or even a computer IP address- are regarded as data that need to remain confidential.
The consequences of breaching GDPR can be quite taxing. You risk going out of business if you are a MSME organization and do not uphold the regulation. You also face a maximum fine of up to 4% of your annual global turnover or €20 million whichever is maximum. This fine will be imposed if the organization is found guilty of serious infringements, e.g. having insufficient customer consents on records to process data or violation of the core of Privacy by Design concepts. Fine is levied in tiered approach based on the severity of the infringement e.g. a company can be fined 2% of its annual global turnover or €10 Million for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. Please note that these rules are applicable to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Let’s look at some real life cases of violations and penalties.
Case 1: Honda fined £13,000
What did it do?
Honda sent 289,790 emails that aimed at clarifying its customers’ choices for receiving marketing. The data had been acquired from numerous sources, including sign-ups made via the website and promotional events, and customer’s details passed on from dealers, etc.
What went wrong?
Honda could not provide evidence that customers had ever given consent to receive this type of email. Furthermore, its emails were not related to customer service, but instead were classed as marketing pool.
Case 2: Flybe fined £7,000
What did it do?
Flybe sent 3.3 million emails in August 2016 with the subject line ‘Are your details correct?’ advising recipients to amend any outdated information and update any marketing preferences. The email also stated an opportunity to be entered into a prize draw on completion of their preferences update. Flybe had categorized this campaign as ‘data cleansing, however the ICO could not justify this claim, as the email had been sent to customers who had previously opted out of receiving marketing messages, and therefore would not require any update to their records.
What went wrong?
The customers contacted by Flybe clearly had an opt-out status, meaning the company simply did not have the right to contact them via email. Secondly, the email contained an incentive, which by the new standards of consent, must be freely given. Having an incentive is doing quite the opposite.
In my next blog I will elaborate on GDPR and identify various scenarios of how offshore tech industry can apply the standards in an attempt to map the responsibilities of the organizations, for GDPR compliance.