Regardless of the type of job you are dealing with, whether you are completely digital or not, whether your business is in EU or in the foreign market, this is the topic you should educate yourselves on.
Namely, the European Union introduces a new regulation on personal data security on the Internet, the so-called GDPR (General Data Protection Regulation), which will come into force on May 25 this year, and which will set new global standards when it comes to the rights to use personal data.
This is one of the most controversial EU regulations in the last few years, which will appeal to all of our clients, and we have decided to pay special attention to this issue.
If you are a website owner, in the future you will need to tell your customers what information you have, how you collect and process them, how long you keep them and who you share them with. You also need to vouch for the security of this data.
Every day we leave countless personal data on various devices, and this data goes further into the boundless space we call the cloud. That cloud is, literally, nothing other than another (someone else’s) computer.
It is speculated that in the near future no one will be able to hide anything about themselves, because everything will already be in the cloud (read: written). In order to at least get the optimism among these lines, according to the new regulation, the ownership of personal data will be treated just like ownership over any other property.
Therefore, every citizen can ask you, as a company, for information such as why you collect their personal information, as well as demand that you delete everything that you personally own about them.
Wondering why all this?
The GDPR decree is designed to enable individuals to have control over the use of their personal data, since the right to privacy (and privacy of data) is the basic right of every citizen.
In the light of the period in which we live, where different stakeholders collect, preserve, process, and monetize personal information in various ways, it is time for a regulation that gives individuals the right to vote when it comes to the use of their data, and which imposes stringent standards that relate to data collection and data security, as well as their use on actors involved in collecting and processing these data
Given that the previous regulation dates back to 1995 (Data Protection Directive), its volume does not reflect our everyday life inadmissible from the Internet and the technology we use today.
At a time when banking, purchasing, paying utility costs, as well as most other things is done online — the threat of personal information abuse is alarming, identity theft is an everyday occurrence, etc.
GDPR obliges you (business) to report any incident involving privacy violation, data theft, etc. to competent institutions within 72 hours.
The announced penalties for violations of regulations amount to up to €20 million.
Which personal information should we look out for?
The question is which data is covered by the regulation, and the answer is simultaneously both simple and complicated: any information that allows identifying a person.
Specifically, the new rules generally have a tighter definition of personal information, so now your location data (where you are), online identifiers such as IP address and IMEI mobile phone number, information about your genetics and health, biometric data, race data and ethnicity, political attitudes, sexual orientation.
For businesses, this means that they would have to review all this information and conduct a detailed audit to determine which data they actually possess and whether they fall under the regulated privacy.
Here at Avalon, we have been very serious about this, and are now in the process of completing this process, regarding which we will promptly inform all our users.
Encrypted data may also be subject to GDPR rules, depending on how easy or difficult it is to identify to whom they belong.
Increased use of Cloud as a result of GDPR or what does that mean for the market?
27% of companies in EU already use cloud technology. GDPR will shift this statistic further and encourage businesses to go cloud.
Large companies in EU were ready to meet the new GDPR regulation, and they formed special teams dealing with the implementation of the regulation. The financial and IT sector are ahead in preparations for the new GDPR.
Banks, IT companies and other modernized participants who already have experience in the use of new technologies are ready for the readjustment, which can not be said for other users, even in the public and state sectors.
Small businesses in trouble
There is a huge issue regarding business compliance for small businesses, especially if they have business software installed at their location, because all adjustments will have to work independently and individually.
Few of them, unfortunately, can afford thousands of euros for the ubiquitous recently emerging newcomers in the field, who are publicly frequently self-represented as GDPR experts.
The situation is somewhat better if the company has “someone else’s” software. For example, Microsoft will let all their users using Office, ERP, and CRM to provide automatic adjustment, but we all know that such companies in European Union are few, taking into account the total number of companies.
In example, according to rough estimates, there are at least 60,000 companies just in EU’s youngest member Croatia, that will need to apply the GDPR. And think about every small business in the whole European Union.
With GDPR, another regulation will contribute to the transition to cloud. This regulation is called the Payment Service Directive 2 (PSD2), which deals with opening up banking IT systems to partners and competition over the internet. It is actually already valid, but will only become operational in September 2019.
For such companies, cloud will be the only option.
Global / Big Players
GDPR will globally hit all major world players, including the big American five: Amazon, Apple, Google, Facebook and Microsoft. Practically, they will be deprived of the monopoly that they had so far over user data of people from the EU, that is, the description of private lives that Facebook has collected from the users through their network and on whose base they have built a business.
Have you ever considered that Facebook or Google could be eavesdropping on you? Hold your cell phone and talk to your friends about a topic, for example — a summer vacation in Croatia, and the next day you will see ads on Facebook and Google that offer summer holidays just in Croatia.
This is just what the case is about here. The first thing that will hop on your mind now is: Facebook is spying on me and uses my microphone for that! This is rather unrealistic, because for something like that, even the entire NASA technology would probably be insufficient.
Unlike Facebook, Google has permission to use your voice over your cell phone, but again — only if you allow it. If you use voice search services like “OK Google”, all your voice inputs will be kept in the Voice & Audio Activity tab of your Google Account.
The thing is that some clouds on the Internet hold a lot of personal data. This data could be left whenever and wherever while being online. Large businesses simply purchase these databases, align them with our accounts on their platforms and serve us personalized ads.
The good thing in all this is: No one is listening to you. Bad thing: They still know all about you.
For example, your credit history history, which music you are listening to, which TV shows you are watching, what you google in the darkness of your room, where you’ve been while your cell phone location tracking was enabled for all these apps to track you, what apps you downloaded to your device, etc. The list is endless.
Facebook, therefore, as soon as the regulation was announced in 2016, has rapidly built 3 data centers in the EU, which they had none before that. Similar moves are being made by other companies from the big five, as well by other large companies that will have to adapt their business accordingly because, despite the fact that official companies are located in the US, as long as they have personal data on EU citizens, these regulations still affect them.
The EU expects that GDPR will restore citizen confidence in online services, as we are becoming more concerned when it comes to our personal information, and trust is the key to every monetization, including the digital economy.
It was stated that a drastic change was necessary, given the huge shift in the way information is processed due to the large growth of the digital economy. Everything is much more complex now than during the 90s when Yahoo was a trend on the internet and when cookies were just that — tasty little cookies.
E-mail marketing and websites
If you use e-mail marketing, GDPR applies to you, above all with regard to the consent you must have from each individual subscriber in your base.
GDPR obliges you to explicitly obtain this consent and it has to be clear to the user how you will use this information when you get that consent.
This in practice means that you will need to have a GDPR-friendly contact form, which will help you to obtain and document user consent. You will need to allow the user to choose exactly what their email address will be used for. This will allow the user to indicate whether they want to receive promotional e-mails from you or if their e-mail address will be used for advertising purposes, etc.
The first thing to do is to review the personal information you collect.
– For what purposes / purposes do we use this data?
– Where do we store them and are they safe?
– Do we still need them?
Also, check out all other companies that may use this data and whether their behavior is in line with GDPR. Have in mind, every personal information you have means that there are also responsibilities around it, so make sure you only keep the data that you really need.
The good news in this mountain of new standards and obligations is: From now on, the contacts you will have will belong to those who are really interested in what you have to offer — which could open new opportunities for better conversion, increased number of clicks, visits, and hence the interaction. That means that less is not always less.
If you have an e-commerce website, and let’s say that the customer orders something from you, you will be able to place remarketing ads on that user only if they explicitly agreed to.
Let’s say you’re an HR company and a candidate applies for a job. You will no longer be able to send similar job offers to the same candidate if you do not have their consent.
Similarly, each plugin that is installed on your website must be GDPR friendly. You, as the web owner, are responsible for ensuring that each plug-in can provide insight, export, or delete the collected personal information of the user.
This could significantly complicate some of the most popular WordPress plugins. For example, solutions like Gravity Forms or Jetpack use a lot of modules that naturally collect user data. Each plugin owner (developer) has to establish the flow of information about personal information and inform users of their processing.
It happened to all of us, to download a mobile app, and when we get to the part asking for “access permission”’ — we change our mind. Why would a flashlamp application, for example, have access to our location, calendar, contacts, photo gallery? Absurd, right?
Therefore, in the light of the new GDPR regulation, special attention should be paid to the data you collect through mobile apps — just collect data which you can use for your business, inform users which data you collect and for which purposes, present the ways in which their information will be protected and everything will be in the best order.
The old adage — “a little oversupply never hurt anyone” does not seem to be applicable here anymore :)
This article was originally published at Avalon blog.