We generate 2.5 trillion bytes of data every day, according to multinational and consultancy firm IBM. Such big data business is amplified by social media and cloud storage. We are creating more personal data than ever before, and companies are processing it to obtain useful information about their customers. The Spanish Data protection act (LOPD – Ley Orgánica de Protección de Datos), has been in place for over 15 years, but technology has led to it being updated to protect basic human rights in the new innovative technology ecosystem. We are now less than a month away from its adaptation to the EU General Data Protection Regulation (GDPR), which comes into force on 25 May.
Although the key GDPR data protection principles are in line with the old LOPD, the new regulations introduce major updates that affect the way in which EU citizen’s personal data is collected and processed as well as companies who work with this information. These regulatory changes affect tech giants like Google and Facebook as well as small and medium enterprises, as big data technology is now used in clothing stores, restaurants and petrol stations. The new updates include:
- Increased territorial scope, affecting all companies that process personal data belonging to EU residents, irrespective of whether this data is processed outside the EU.
- Penalties for companies that fail to comply with GDPR, including fines of up to 4% of their annual global turnover or €20 million, whichever figure is higher. It is important to note that these rules apply to both controllers and processors, meaning that clouds will not be exempt from GDPR enforcement.
- Conditions for Consent are strengthened. Companies won’t be allowed to use illegible or incomprehensible terms and conditions. These must now be easy to access and use clear and plain language, to ensure that users understand what they are accepting.
- Data Subject Rights, ensure that individuals are aware of whether their data is being processed, where it is being processed and for what purpose. Data controllers must provide a digital copy of personal data they have processed, free of charge, for the purposes of transparency and to empower customers.
- The Right to be Forgotten, allows individuals to require data controllers to delete their personal data, stop disseminating this information and to make any third parties stop processing their data. The new regulations also state that data which is no longer relevant to the original purpose of the data processing must be deleted.
- Privacy by Design means tailoring data collection systems from the beginning, to ensure that they only collect the data required for them to function (data minimisation). In the UK, the ICO (Information Commissioner’s Office) promotes personal data protection and has published a report on GDPR compliance for big data projects. The report analyses whether it’s possible to create new data categories according to whether or not these are ‘observed’, ‘derived’ or ‘inferred’, all of which are subject to the GDPR principles. It believes that companies that use big data must define the purpose of their data analysis from the start.
- GDPR regulations require companies to establish internal processes for keeping records of thee personal data they hold. This includes the requirement to appoint aData Protection Officer (DPO) for controllers and processors whose activities focus on data processing operations that require regular and systematic large-scale monitoring or special data categories.
Retailers are not exempt from these obligations. The use of systems like digital signage with sensors or cameras, or website cookies means that they are subject to this new European regulation.
GDPR application could be a headache for unprepared companies, but the right advice can turn this problem into a business opportunity. And avoid repeating situations like that of Cambridge Analytica. Responsible use of customer data is more than a legal issue, it also affects your business reputation and visibility. Cambridge Analytica went into bankruptcy following the latest scandal. New regulations will allow companies and businesses to continue using the latest data collection technologies to provide better customer service and optimise their campaigns, under ethical regulations. Ethical, anonymous customer data processing provides added value to any brand, that consumers will appreciate when they enter your stores.