Data protection: consumers happy - panic in companies?
More rights and protection for users, stricter guidelines and higher fines for violations. The Federal Data Protection Act is being replaced by the Europe-wide General Data Protection Regulation. Background, information and tips …
Facebook and the data scandal
The latest data scandal involving Facebook and Cambridge Analytica is heating up the debate on data protection just as the new EU General Data Protection Regulation comes into force. Four years ago, the developer of an app forwarded information from Facebook profiles to the data analysis company Cambridge Analytica. It is suspected that this was used for election advertising in the US election campaign and to influence the Brexit decision, among other things. According to its own information, Cambridge Analytica received data from around 30 million profiles, including numerous German users. Facebook CEO Mark Zuckerberg is in trouble: he has known about the disclosure since the end of 2015, but did not check the requested deletion of the data. Zuckerberg is now promising stricter guidelines to protect user data. For example, external access by apps to user profiles is to be restricted. Apps such as Tinder, on which users can register with their Facebook profiles, have so far received extensive information about their users. Protests and campaigns, such as #deletefacebook, in response to the transfer of data could have a financial impact on the company. Major entrepreneur Elon Musk sets an example and has the Facebook pages of his companies Tesla and SpaceX removed. The outcry is huge and many users are concerned. But the real question is: hasn’t the use and analysis of such data long been part of our everyday lives?
Data analysis in digital marketing
The analysis of data brings several advantages for companies: the processing of user data and “micro-targeting” make it possible to identify target groups and thus, for example, to place targeted advertisements. The simplest example: you search for sports shoes in an online store and subsequently receive advertisements for similar products. The targeted use of customer data also makes it easier to strengthen customer loyalty: with the help of the e-mail addresses of your existing customers, it is possible to send them targeted offers or an e-mail newsletter with information. Email marketing, trend analyses or customized marketing campaigns: the targeted use of data offers many possibilities. But what is allowed and what is not? Which data may be stored and how? How is the data transmitted?
In addition to the benefits, the use of data also entails greater responsibility when handling it. The European Union has also taken this to heart: a two-year transition period ends on May 25, 2018 and the new General Data Protection Regulation comes into full effect.
The new General Data Protection Regulation
To come back to our question at the beginning: Data analysis and use are definitely part of everyday business in the digitalized business world. If you use social media or apps on your smartphone, your data is usually analyzed and – within the framework of the law – processed further. For this reason, the GDPR, which was adopted by the European Union two years ago, is now coming into full force. The aim is to achieve more comprehensive protection of personal data. By May 25, 2018, all companies whose services reach users in Europe must have brought their data protection measures up to date. In the event of breaches, the fines will be increased from the previous maximum of 300,000 euros to a maximum penalty of 20 million euros or 4% of global turnover. In addition, breaches of data protection guidelines (whether caused by technical glitches or suspected) must be reported to the data protection authorities within 72 hours. Sounds scary at first? You are not alone in this opinion! Many entrepreneurs fear high penalties or warnings due to uncertainty about what exactly is required of them. But don’t worry: step by step, everything sounds only half as threatening.
Personal data
General Data Protection Regulation. Even the word seems unwieldy: what exactly does it mean? The General Data Protection Regulation regulates the purpose for which data may be collected, stored, used and processed. This is the protection of “personal data”. And what is personal data? This is data that allows conclusions to be drawn about a specific person, i.e. name, email address or postal address, date of birth or character traits. It should be noted that this must be a natural person, i.e. not a company. Furthermore, it is not only about customer data, but also about the data of business partners, suppliers or employees – insofar as this data concerns information about natural persons. The general company address of my supplier’s office therefore does not fall under personal data, but the email address of an employee of the company does! The more sensitive this data is, the more obligations the company has. For example, health information that a doctor has about a patient is classified as more sensitive than a customer’s postal address, which is needed to ensure the delivery of goods. The company must also ensure that no unauthorized access to the stored data is possible. Accordingly, IT security precautions must also be adapted to the current state of technical possibilities and stricter security measures must be implemented, especially for sensitive data.
Accountability, information and documentation obligations
Not only more protection in terms of stricter regulations: the new GDPR also brings with it extended rights to information for consumers. In future, a company must be able to account to its customers, partners and employees about what data it has stored about them. Of course, the data subject can also request the deletion of the data. Keyword transparency: What information is available about me and where? And how is this data used? With immediate effect, every EU citizen has the right to receive information about their data under data protection law, and companies are obliged to respond to such a request within 4 weeks with the relevant information. In order to make this possible and also to comply with another directive of the new regulation, extensive data processing logs must be created. All data-related processes are subject to a documentation obligation. Even the reason why a certain data protection measure is used must be recorded in future. That sounds like a lot of work. Initially, this is certainly true, but documenting the processes is definitely to our advantage. Clarity and transparency are ensured and, if problems arise, the previous process steps can be traced directly.
The transition to the new General Data Protection Regulation
Important questions you should ask yourself about data protection:
- What data may be stored?
- How must these be stored?
- For what purpose may the data be used?
- When must what be deleted?
- What consents, declarations or information are required?
- Do I need a data protection officer?
So what is important when it comes to data protection?
Overall, the General Data Protection Regulation aims to provide more comprehensive protection of personal data. What are the basic principles and considerations?
- Purpose limitation of data use and storage
- Data economy
- Knowledge of archiving deadlines
- Confidentiality and IT security
- Accountability, information and documentation obligations
