The future of privacy in the digital age
By Consultant Bonnie Whitton
With the current discourse around the Cambridge Analytica scandal it’s no surprise many of us are questioning the amount of personal information we have inadvertently shared online.
Technology has completely changed the way we go about our day and most of us don’t give a second thought to the data we share when we make a purchase, book an appointment or even do a simple google search.
Companies collect data by processing and storing the personal information we provide such as our name, address, and contact number when we sign up for a loyalty card, for example.
Internet providers also collect information through cookies – a small text file created when you first visit a website that stores information. When you return to the site cookies identify your device through your IP address and reminds it of your previous activities such as how many times you have visited the page, the links you have clicked on and even the locations you have accessed the page from.
Ever wondered why that pair of shoes you looked at online keep popping up in banner advertisements or while you’re scrolling through Facebook? Over time cookies collects a breadcrumb trail of your activities and sells this information to companies who then use it to target their marketing communications – hence the shoes tempting you from the sidelines of your screen.
While it is clear technology has been moving faster than legislation development, it seems the EU are catching up and have presented a solution to maintaining online privacy in the form of the General Data Protection Regulation (GDPR).
The GDPR comes into effect on 25 May 2018 with the aim to protect all EU citizens from privacy and data breaches by imposing tougher restrictions on how personal data can be collected, shared and stored.
The GDPR defines personal data as “any information related to a natural person or ‘data subject’, that can be used to directly or indirectly identify the person including an email address, name, photo social media post or medical information.”
The regulation will not only apply to organisations in the EU, it will also extend to businesses in foreign countries, including Australia that have a presence in the EU, offer goods or services in the EU or monitor the behaviours of individuals in the EU. For example, an Australian online retailer whose website targets customers in the EU by offering goods or services in a European language or enabling payment in euros would be subject to GDPR regulations.
While some of the principles of the GDPR are similar to regulations governing Australian businesses under the Privacy Act 1998 and Australian Privacy Principles, it is important for businesses that have any kind of footprint in the EU to understand the key policies the GDPR introduces:
Consent: Requirements for consent will be strengthened under the GDPR, generally speaking this means that data subjects must actively agree to receive marketing communications from your business and must be able to unsubscribe or opt-out of any communications just as easily.
Breach notification: A notifiable data breaches scheme commenced in Australia on 22 February 2018 which requires entities with an annual turnover of more than $3 million to report a breach likely to result in serious harm to any individuals whose data is involved within 30 days of becoming aware of the breach. Under the GDPR the time frame is much stricter, with businesses obliged to notify individuals within 72 hours of becoming aware of the breach.
Right to access: If an individual requests access to their data they must be provided with a copy of any personal data that has been processed as well as confirmation on where it was processed and for what purposes.
Right to be forgotten: If personal data is no longer necessary for the purpose it was collected or if an individual withdraws their consent they can also request that their information be erased.
Data portability: Individuals have the right to receive personal data they have previously provided in a machine-readable format for the purposes of transmitting this data to another service provider.
Further to understanding these principles, it is prudent Australian businesses take all measures to ensure they are compliant as it is likely the GDPR regulation is a sign of things to come not just in Australia, but globally.
Just this month, while congress grilled Facebook CEO Mark Zuckerburg about their failure to protect users privacy, the U.S also introduced the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act which would impose similar policies to the GDPR and it seems inevitable Australia will eventually follow suit.
The most serious infringements of the GDPR can attract a fine of up to 4 per cent of annual global turnover or €20 million ($32 million AUD) whichever is greater, and as the deadline for mandatory compliance looms it is crucial businesses have a plan in place.
Australian businesses that have customers or operate in the EU should find out if the GDPR applies to them prior to 25 May 2018 and adjust their systems, policies and processes accordingly.
While it might seem all doom and gloom, the GDPR actually opens up an opportunity for businesses to see better results from their marketing communications. By putting individuals back in the driving seat when it comes to personal information, organisations can ensure they are communicating with the right audiences and those that embrace the GDPR may even find themselves with a competitive advantage.