top of page
Writer's pictureMarcia Klingensmith

5 Questions to ask about GDPR and Protecting Customer Information in the Digital Age

GDPR went into effect May of 2018, designed to protect consumers privacy and to give them control over their own data. This article highlights some considerations about the legislation, it’s impact, and complying while staying secure.


What is GDPR and when did it go into effect?


GDPR stands for “General Data Protection Regulation” and is a set of privacy laws in the European Union (EU) that is designed to standardize data protection laws, and govern how companies collect, process, and store personal data. It was enacted in Europe and went into effect May 25, 2018.


Why was the GDPR law created?


For years, we’ve seen the increase of data breaches happening. According to Identity Theft Resource Center 2018 End-of-Year Data Breach report, there were 135 data breaches in 2018, with 126% more customer Personally Identifiable Information (PII) data exposed than in 2017, that’s more than 446 million records exposed. Per IBM’s 2018 Cost of a Data Breach Study by Ponemon, the average cost of a stolen record is $148, that equates to $66 billion dollars of losses a year!


We’ve seen breaches at companies like Marriott, which impacted more than 383 million people worldwide, exposing passport numbers and driver’s license information, along with other details like date of birth - information that have been needed at time of service, but perhaps should not have been retained longer term. Additionally, we’ve seen abuse of customer information like that used in the Cambridge Analytica data misuse scandal.


Sharing personal information can lead to better, more seamless experiences for the customer, resulting in better engagement with businesses, which results in more sales and revenue. However the need to protect this data is critical. Exposed data is passed around an underground ecosystem where criminals monetize PII data through identity theft which can have lasting impact for its victims.


Who does it impact?


While it was the European Parliament and the Council’s goal to protect consumers from unsafe or unfair collection and processing, and give European Union consumers control over how their data is used, we are finding many countries implementing similar legislation to protect their consumer base.


According to Comfort Insights, other countries who have adopted comparable privacy laws include Brazil, Australia, Japan, South Korea, Thailand, and the United States. United States privacy laws vary by state, with the strictest policy being the recently passed California Consumer Privacy Act (CCPA)which goes into effect January 1, 2020. The CCPA serves as a role model for other states, and since then several other states have introduced similar privacy bills and proposals. The CCPA will also require organizations to focus on user data and provide transparency for how they are collecting, sharing and using such data. PWC highlights some of the differences in legislation, in case this is of interest.


What does this mean for me?


User consent is a key component of this legislation. You can’t assume that a consumer is willing to share their information, they must “opt-in” to having their information collected (and you are not allowed to pre-check that box for them!). The best way to get this consent is to provide full transparency on what data is being collected, why it is being collected, how long the data will be retained, and how the data will be used. Be sure to keep a record of this consent.


Consumers also have the “right to be forgotten”. This means that you have to give the consumer means to request, at any time, that their information be deleted. You must have a process in place to appropriately purge the customer’s data when that request is received.


Additionally, to reduce risk associated with maintaining data, the legislation requires that any company that collects or processes personal data of residents of the US (whether or not that entity is itself located within the EU) to only collect information needed to support the service or function that the data is being collected for.


To protect the company and the consumer, there are some general principles to consider:


  • Be clear on what you are collecting and why, and with whom the information will be shared

  • Don’t use personally identifiable information (PII) if you don’t have to

  • If you have to use/collect PII data, use the least amount possible

  • Do your best to ensure what is collected is accurate, and if relevant, kept up to date

  • Access to PII data should be on a “need to know” only basis

  • Make sure that people handling PII data are aware of the sensitivity of the information and their obligations to protect it

  • Understand and comply with any legal requirements around the use of such data, including cross-border transmission of data

  • Don’t penalize the customer for exercising their rights to privacy


A Privacy Policy should include things like:

  • Information customer provides to company, their purpose, and related data elements

  • Information collected from interactions, the sample situations, and related data elements

  • Information company collects from 3rdparties, use cases, and related data elements

  • How company shares the information it collects, interactions between consumers of the service, interactions with 3rdparties, and related data

  • Customers control of collected data and methods to opt-out

  • Other data concerns like security, children’s privacy, changes to privacy policy, and who to contact if there are any questions


How do you remain secure while still being compliant?


You might be asking yourself: If the customer has full transparency and gives consent to all data collected, then doesn’t the bad guy also have that transparency to what is being collected, how it’s being used, making them able to reverse-engineer the situation to spoof it?


The good news is that GDPR does have some clauses that for a “legitimate interest” like fraud prevention, they don’t have to gain consent to collect customer data or delete data.


Of course, protecting consumer privacy is important! There will, however, continue to be a fine line on what information is collected and how it is used. The bad guys are watching and looking for loopholes. Keep alert and keep the customer in mind - balance their rights with their best interests.


22 views0 comments

Comments


bottom of page