‘Pry’vacy: The case for implementing privacy regulatory requirements

Before getting started, there are a couple of concepts that should be introduced. Namely, ‘privacy’ and ‘Pry’vacy. While they may sound the same they are actually diametrically opposed (plus one term was invented by yours truly). The following definitions will guide the ensuing discussion:

• ‘Pry’vacy (n): the quality or state of being under organizational surveillance, typically leading to individual dissatisfaction and increased lack of trust when a breach of privacy is discovered.

• Privacy (n): the quality of or state of being apart from company or observation.

The evolution of privacy

If you asked someone twenty years ago what privacy meant to them, their response would likely differ from the answer they would provide today. Just a handful of years ago, individuals could mostly draw a line in the proverbial sand that demarcated public versus private spaces and the areas to which they were entitled to some reprieve from watchful eyes. For example, someone may have responded to the original inquiry by stating they had and expected complete privacy within the confines of their home. That was typically the case except for a few anomalies (think super secret wire-tapping). No one outside of your home would know what you ate for breakfast, discussed around the dinner table, or watched on the television. 

However, the concept of privacy has increasingly eroded with the proliferation of technology that watches, listens, and tracks every move. You can expect to be surveilled to some degree, regardless of whether you are in a public or private space (think smartphones, Amazon’s Alexa, Google Home, or even applications aimed at treating mental health). And it doesn’t matter whether or not you believe you are entitled to privacy. Many tech juggernauts have made their fortunes, in part, from harvesting and selling consumer data while leaving their users feeling as though they’ve been robbed. 

CONTINUED READING

See how the US and the EU compare on data privacy law

The reach of GDPR’s extend beyond its regulatory requirements in the form of its influence on similar legislation in the United States.

Read more

‘Pry’vacy today

Case in point, the 2018 Facebook-Cambridge Analytica scandal. Central to the scandal was Facebook’s acquiescence in allowing Cambridge Analytica to harvest the data of an estimated 87 million people worldwide without their consent. But it wasn’t just the data harvesting that caused a commotion but the aggregation and manipulation of data used to identify American voters’ personalities and influence their voting behaviors.

It is no wonder that participants of a 2019 Pew Research Center study focused on Americans and Privacy overwhelmingly shared an inherent distrust of how their data is collected and used. 

More pointedly, the study focuses on certain aspects of corporate and consumer behavior that illustrate the challenges organizations face due to demands for increased accountability. The study includes analysis of a general lack of understanding about data privacy laws by consumers, a sense of or acknowledgment about consumer online activities being tracked, or consumers not feeling in control of their personal data. This demand for greater corporate accountability is outlined in a survey conducted by McKinsey where 71% of respondents stated they would no longer do business with a company that would give their data away without explicit consent 

So what can organizations do?

Consumer perception, as a whole, is shifting toward a mistrust of corporate behavior regarding the use of personal data. Therefore, organizations should focus more on protecting consumer data (e.g., using data for limited and agreed-upon purposes and deleting data once it has reached its end-of-life.) In essence, the opportunity exists for organizations to prove to consumers that they are moving from a regime of ‘Pry’vacy, where companies profit from the exploitation of consumer data, to a regime of privacy where consumers feel safe from prying corporate “eyes.” 

Organizations can cultivate trust with consumers by adopting privacy laws, regulations, and practices that protect consumer data while allowing them to achieve business goals and interests. 

So, how can this be accomplished? Fortunately for you, privacy laws and regulations are being enacted all over the globe aimed at protecting individuals’ data. Namely, and the subject of this piece, the General Data Protection Regulation. 

What is the European Union’s General Data Protection Regulation (GDPR)?

Effective May 25, 2018, the European Union began enforcement of the General Data Protection Regulation (GDPR). The GDPR created the most stringent global data privacy requirements to protect “natural persons with regard to the processing of personal data.” Consequently, businesses that collect, process, target, or in any way interact with the personal data of European Economic Area (EEA) citizens must now comply with the requirements of the GDPR. Failure to do so may result in hefty fines totaling 10 million Euros or up to 2% of an organization’s entire turnover for the preceding fiscal year. That amount only considers “less severe violations” of the GDPR.

At its core, the GDPR fulfills its objectives via the following mechanisms: (1) the creation of individual rights;  and (2) obligations imposed on data controllers and processors. More specifically, data subject rights include the following non-exhaustive rights, which should be considered and accounted for via organizational processes:

• Right of Access: the right to request and receive confirmation that an organization holds personal data. 
• Right to Rectification: the right to correct any personal data deemed inaccurate or incomplete. 
• Right to Erasure: the right to request that some or all personal data be erased. 
• Right to Object: the right to object to the processing of personal data. 
• Right to be Informed: the right to be informed about collection and use of individual personal data. 

Organizations must also consider a host of obligations that include, but are not limited to: 

• the types of data collected (personal v. sensitive)
• the format in which data resides (plain-text, pseudonymized, or anonymized)
• obligations imposed via the use of certain personal data, which may require the assignment of a Data Protection Officer or EU Representative; and 
• breach notification timelines. 

This non-exhaustive list of rights and obligations may seem overwhelming to digest and implement. But with the right help and guidance, you can be well on your way toward increased customer satisfaction and regulatory compliance. 

How can Thoropass help?

If your organization is contemplating or currently processing the personal data of EEA citizens, Thoropass experts are available to help you evaluate your current policies, procedures, and processes against GDPR requirements. Our trusted experts undergo rigorous training in their disciplines and are equipped with insight and hands-on experience, so you are never alone on your GDPR compliance journey.

Recommended for You

How GDPR impacts privacy legislation in the United States

While none quite so broad in scope, a number of GDPR equivalents exist in the US that organizations may need to comply with.

Learn more about GDPR