The management and security of personal data of European citizens is regulated by the ‘General Data Protection Regulation’ or in short ‘the GDPR‘. This has been in force since Friday, May 25, 2018 and means that every organization must be able to demonstrate what personal data it collects and how the data is used and secured.
All companies, public services, organizations and institutions that process, use, register or store personal data in Europe must comply with this directive. They are a set of guidelines to protect personal data and maintain its integrity.
Some of the GDPR principles are:
- Any organization that collects and/or processes data must ask permission to do so and its purpose must be clearly stated.
- Also, the data must be processed securely by using appropriate, technical and organizational measures.
- Your data may also not be stored indefinitely. A clear retention period must be agreed in the agreement. When this has expired, the data must be made inaccessible.
What is a DPO?
In large organizations, a DPO (Data Protection Officer) must be appointed to monitor GDPR compliancy. This should be someone with good legal knowledge in terms of data protection law, as well as administrative law. In addition, a DPO should also have a good understanding of the processing activities carried out, the information systems and the needs of the data controller in terms of data protection and data security. In smaller organizations, however, it is not always possible to recruit a dedicated DPO, but someone must still be designated as a data controller for these tasks (in addition to his or her core duties).
Is processing personal data an invasion of privacy?
Not necessarily. According to the GDPR, every time you process personal data as an organization, you are actually committing an invasion of the privacy of individuals UNLESS you have good reasons or goals.
After all, as a business, you often need to process personal data to perform tasks related to your business activities. Without that data, business operations are simply not possible.
The GDPR provides 6 reasons or legal bases to process personal data:
- Consent: For example, you fill in all kinds of personal data to place an order with your favorite online shop or to enjoy the benefits of a loyalty card in a physical store. You then consciously share certain data with the respective (commercial) organization.
- Legal obligation: e.g. customer billing, check-in-at-work.
- Necessity to perform an agreement: for example, the data needed for the payroll administration of your employees.
- Vital interest of a person: for example, your medical file at your doctor’s office or a healthcare facility.
- Public interest: for example, the city is authorized to organize the parking policy on its territory, but cannot validate resident cards without having certain personal data.
- Justified interest: e.g. informing customers after purchase via mailings about possibly (other) relevant products or developments, using cameras for the protection of property or people, etc.
What is the importance of the GDPR?
The main goal of the GDPR is to give people back control over their personal data. In this way, every EU citizen is protected. But the introduction of the GDPR is equally beneficial for organizations, even if they face quite a few hurdles or challenges before they can call themselves GDPR-compliant. The standardized regulations mean a simplified regulatory environment for international business. It regulates the transfer of personal data to countries outside the EU and affects doing business with integrity within Europe and beyond.
The GDPR applies to protect all EU citizens. So that means that organizations outside of Europe must follow the same guidelines when collecting and processing data from EU citizens, even if the laws in their own country are different.
Surely much better that there are now clear rules?
Processing data before the GDPR came into effect
Before May 25, 2018, there were of course all kinds of rules and laws regarding privacy. But these had been drawn up on a country-by-country basis, so they were not the same everywhere. An additional point was that despite the existing rules, there were no clear sanctions linked to violating them. With the rise of big data and other technological developments, this fragmentation no longer worked. The need for uniformity and a common legal framework became imperative.
Organizations were given time to adapt to this new legislation, which was already approved in the European Parliament in 2016. Organizations that dare to disregard the rules after May 25, 2018, risk significant fines.
A violation of the so-called finality principle falls under the heaviest category for which a maximum fine of € 20 mio applies or, for companies up to 4% of their total global annual turnover!
Today’s facts: 1.1 billion in GDPR fines in 2021
Some notable numerical facts regarding GDPR fines:
- The very first GDPR fine in Belgium was issued to a mayor who had used personal data, obtained in the course of his duties, for his election campaign. The fine amounted to €2000.
- In Belgium, €508,000 worth of fines have been issued since the GDPR came into force.
- Even the Dutch National Police was fined for inadequate data protection.
- According to figures from law firm DLA Piper, which appeared in a January 2022 Datanews article, 1,1 billion euros in privacy fines were issued in Europe in 2021. That’s 7 times more than in 2020!
- The highest fine we saw was in Luxembourg, with a spectacularly high amount of €746 million for Amazon.
A record that gives us mixed feelings: on the one hand it shows that privacy is not very high on the agenda of (some) tech giants. On the other hand, it also shows that the GDPR does what it was created for.
- DLA Piper also notes a growth of 8% in reports of data breaches for the past year.
Data breaches ≠ Cyber crime
An (unfortunately not so recent) article by Belgium Cloud lists the most common causes of data breaches. Most leaks are not caused by dubious companies that have not put the GDPR high on the agenda or by cyber criminals who want to extort money from organizations or individuals.
No, the greatest danger lies with our own inattention or ignorance!
Most common types of data leaks:
- Human error: we all know (or have known) someone who unintentionally sent a file containing sensitive information to an incorrect e-mail address. This is a clear data breach.
- Hacking, phishing & malware
- Theft carrier: sensitive info stored on a stolen USB, laptop or smartphone.
- System failure
- Improper use of access rights.
Duty to report data breaches
The data controller of any organization is required to record all data breaches. This person must make an assessment of the risk: does the breach potentially affect the rights and freedoms of the persons concerned? Then the data controller or DPO is obliged to report this to the Data Protection Authority within 72 hours.
To outline the differences in risks, let’s briefly mention the Log4J leak that surfaced in mid-December 2021. The leak is in a tool used to log Java applications and hackers were already taking advantage of it. The leak allows them to inject code remotely.
Israeli government sites were attacked, but the Belgian Defense Department was also a victim of hackers. The mail traffic of the Ministry of Defense was down for a month. These kinds of leaks, which hacker groups can also use to great effect, naturally pose a much greater risk than your colleague who has not ‘locked’ his screen when he goes for a bathroom break (and that also depends on his position and the type of organization).
Suivo and sensitive data
Suivo never becomes the ‘owner’ of its customers’ data, but data is the heart of our business. Dealing with customer data with integrity is therefore a priority for us.
Useful to know is that Suivo:
- appeals to an ethical hacking and bug bounty platform to minimize cyber security risks. The white hat hackers do pen testing on a constant basis. If there are any irregularities, we are the first to know and action can be taken quickly.
- always encrypts data ‘in transit’ or ‘at rest’.
- only collects and stores data on servers of companies that can demonstrate GDPR compliancy themselves.
- draws up a clear agreement for the processing of personal data that is known, approved and signed by the parties involved. This agreement describes both technical and organizational security measures, as well as agreements on confidentiality and the categories of personal data necessary for the functioning of the desired applications and modules on the IoT platform.