What GDPR laws mean for you

Wednesday, July 25, 2018

What GDPR laws mean for you

Post written by Rodrigo Machado - Head of Technology, Mobile Advertising


General Data Protection Regulation - GDPR, the new EU regulation that has been designed to update the existing data privacy, security and protection rules, is an important matter that is changing the whole data industry. That's why, it’s not a surprise that this subject has been raised already twice on our blog, once presenting the concept, and a secondly showing how data portability will affect the market. However, we are still missing how GDPR will affect the end user in their daily digital lives and how one can spot if a company isn't complying. 

Thanks to GDPR, people that live within the EU will be able to access all the data that is collected on them. For good measure, many companies are extending this to all places where they provide services. Therefore, independent of where you live, it is already possible to request access to your data from big tech giants such as Google, Facebook, Apple, Microsoft and many others. It’s worth noting that this rule does not only apply to tech / internet companies but also to any other company that keeps any data on an end user. 

The same way you have the right to see your data, you also have the "Right to Erasure" (a.k.a. The Right to be Forgotten). EU individuals are allowed to enforce companies to stop processing their information and, more importantly, remove their data altogether.

Figure 1. Consent is the key when it comes to processing your data - you must perform the action of giving consent, like ticking a box for example

In order to collect and process user data, companies will need to request consent from the end user. According to GDPR, consent must be valid, freely given, specific, informed and active. This is very relevant and one should pay attention on the next few items as part of digital daily life:

1. The end users needs to do an explicit action, such as ticking an unchecked opt-in box, to be considered as providing consent. If a tick box comes pre checked, consent is not valid. For example, when making the purchase from a site one has the option to receive future related offers on the same e-mail the purchase is registered with. This option cannot be pre checked, the tick box has to be actively ticked.

2. Consent needs to be given for a specific purpose and not bundled up as a condition of service unless it is necessary for that service. For example, if a site offers, free, a white paper you want to read, this offer can ask you your e-mail to send it but can't impose you to subscribe to their newsletter.

3. Any consent can be easily withdrawn at any time. Imposing obstacles to withdraw consent is now unlawful.

4. Lastly, it is companies' obligation to keep a record of your consent. The burden to prove the consent is on the companies’ side. Therefore, anytime, a dispute arises, they need to provide: information of when consent was granted, what information was given during the consent process, how the consent was given (check box during the checkout for example), among other pertinent information.

Figure 2. Companies are obliged to keep a record of user's information and provide it to them, if necessary


GDPR expects the companies that hold and process end user data to take all the measures to protect it. Organizations must embrace a number of recommended practices already recognised by IT and security experts as part of the information governance methods being put in place. The most important measures are: implementation of risk management, policies focused on enabling data security, technical controls for secure data management, effective data breach prevention, detection and response procedures in the case a breach happens. Furthermore, data protection safeguards should be in place from the earliest stage of product and services development.  Companies now state their security governance and compliance with GPDR on their sites. Access Facebook and Google  for good examples of it.

In the case of a data breach, even if all the measures listed above are in place, the company that holds your data is expected to report it to the relevant EU authorities within 72 hours of the detection. Furthermore, if the breach is likely to affect the right of end users the company must also inform the end user. 

Organizations are being "incentivized" to comply. Failure of a company to notify of a breach will mean they will be imposed fines of up to EUR 10,000,000 or 2% of its annual worldwide net sales, whichever is higher. Additional fines will be imposed for also failing to take adequate security measures to safeguard personal data, which can be up to EUR 20,000,000 or 4% of its annual worldwide net sales.

The digital ecosystem has experienced a spectacular transformation in our recent times, and the growth of data volumes collection and management represents a great opportunity for societal advancement. Consequently, this means the right management of any kind of information: personal, anonymous or aggregate by the organizations handling user data. GPDR rules this management, and end users start to have more information to verify if the organization managing user data are complying.

Telefonica, as an important participant in this ecosystem, acknowledge the previous paragraph statements and is committed to their customers with regard to their privacy and security. Telefonica works relentlessly towards generating a relationship of “digital trust”. For more information on Telefonica's privacy and data security positioning access here.


No comments:

Post a Comment