You click the accept button almost as quickly as that annoying notification pops up. No one actually reads those, right? Perhaps we should.
Cookies can store a wealth of data, enough to potentially identify you without your consent. Cookies are the primary tool that advertisers use to track your online activity so that they can target you with highly specific ads. Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR.
The General Data Protection Regulation (GDPR) came into effect in the UK in May 2018 and applies detailed provisions to ensure that personal data (any data relating to a real, identifiable person) is properly processed, kept secure and imposes a significant compliance regime on corporations which hold this data.
The GDPR builds on the existing data protection principles, as set out in the Data Protection Act 1998, but also makes significant changes, imposing stricter rules concerning the holding and management of data and also the use of personal data for commercial purposes. There are substantial rights given to individuals as to how information about them is collected and held.
The key principles are that the processing of personal data must be lawful, fair and transparent. This means that only the minimum necessary amount of personal data must be collected and only for specified, explicit and legitimate purposes.
The data must be accurate and kept up to date, with access to it and use of it restricted to only those who are necessary for the purpose and it must be retained for no longer than is necessary and kept secure. The most significant addition is the ‘accountability principle’, whereby data controllers must keep records to demonstrate how they comply with the data protection principles. GDPR therefore has a huge effect on businesses, especially e-commerce, as it faces a complete regeneration of restrictions.
Data privacy and protection should be priorities for every business, large or small. Data collection is now a critical component of all business operations, whether it is client data to perform a service or enterprise data to ensure operations of critical infrastructure.
In today’s operating environment and with the continued expansion of the digital economy, data is a critical corporate asset. In 2014, the Court of Justice of the European Union issued its now-famous Google Spain decision, recognising a so-called “right to be forgotten.”
The plaintiff sought a court order preventing the Google search engine from displaying a link to an article published about him. The plaintiff won the case and as a result, Google set up an online form allowing individuals to request exercise of this right. As of August 12, 2015, Google received 294,977 delisting requests and deleted 58.7 percent (or approximately 628,102) of the 1,070,021 URL search engine results that the company examined as a result of the delisting requests.
While Google may seem to have been singled out, the lessons to be drawn are more broadly applicable. Privacy developments that seemingly involve only one company— namely, Google—have wider implications, and should be of interest to other firms as well. These developments impact various industries and categories of professionals, internet search engines, certainly, but also other internet intermediaries and companies that process personal data (including those that publish them on the internet), media, journalists, airlines, travel industries, and others.
There are tough penalties for those companies and organisations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater. British Airways faced fines of €200 million for a data breach that occurred in September 2018 and Marriott International are expected to be fined in the region of €99 million for a data breach between 2014 and 2018.
In conclusion, data is a valuable currency in this new world. Whilst GDPR does create challenges for businesses, it also creates opportunity. Companies who show they value an individual’s privacy (beyond mere legal compliance), who are transparent about how the data is used and who design and implement new and improved ways of managing customer data throughout its life cycle will inevitably win the GDPR war.
By: Chloe Cooke – Ulster University
All BeComAware content is reviewed and approved by a professional in industry.