Million (€) reasons why you should care about data privacy
To better understand the market, improve marketing and personalise service, companies are collecting and processing more and more data. While there are benefits to doing so, collecting and processing data carries the risk of misuse, breaches of data protection regulations and loss of data, which can lead to hefty fines.
Non-compliance could be costly
If you are not worried about data protection yet, we have a million reasons why you should be.
You have personal data but do not have a proper legal basis for processing it. Conducting marketing activities without proper consent is considered gross misconduct. Before you start using data for promotional purposes, you should make sure that the data subject has given consent and that he or she has the opportunity to opt out. For this reason, the Italian regulator imposed two fines totalling 11.5 million euros on Eni Gas and Luce (EGL) for the unauthorised processing of personal data in the context of promotional activities and the activation of unsolicited contracts respectively.
You use a legitimate interest as a legal basis. One of the legal bases for data processing is legitimate interest, but in order to use it for processing activities, it must be sufficiently justified and can be demonstrated at any time. The Spanish Data Protection Agency ('AEPD') issued a resolution on 13 January 2021 fining CaixaBank S.A. 6 million euros for violating Articles 6, 13 and 14 of the General Data Protection Regulation.
You collect data but data subjects can not opt-out of processing. You have found a way to collect data more effectively for marketing purposes, but data subjects have to spend hours getting lost on your website before they finally decide that they do not want to object to the processing. Although it sounds tempting to "force" users to consent or make opt-out impossible, consent should be given voluntarily. The Luxembourg data protection authority, also known as the Commission Nationale pour la Protection des Données (CNPD), has in connection to this reason issued a €746 million fine to Amazon.
Your privacy policy is not detailed enough. You have collected the data with proper consent, the data subject has the possibility to refuse the processing, but that's not all. In order for the processing to be GDPR compliant, you should inform the data subject of the details of the processing in a privacy notice (as set out in Articles 13 and 14 of the GDPR). The Spanish Data Protection Agency (AEPD) fined BBVA (Banco Bilbao Vizcaya Argentaria) 2 million euros in relation to its privacy policy, which did not properly explain how it collects and uses its customers' personal data.
You have collected data for multiple purposes. Consent is not enough. The GDPR sets very high standards for proper consent. If your business collects data for multiple purposes with a single opt-in, it could be in breach of the regulations as these consents are indistinguishable and non-specific. It is also not allowed to collect data as a condition for offering services. On 15 January 2020, the Italian telecommunications operator TIM (or Telecom Italia) was fined 27.8 million euros by Garante, the Italian data protection authority.
You monitor your employees. Your customers' data is not your only concern. If you track your employees in any way, you must have policies and procedures in place to protect their data, just as you would protect your customers' data. The Hamburg data protection authority has fined clothing retailer H&M 35,3 million euros because they violated the data minimisation principle of the General Data Protection Regulation and used the data to make decisions about people's employment.
Data breach. You follow all the rules regarding consent, purpose, data retention, etc. but a breach of the General Data Protection Regulation ( GDPR) occurred. You must have sufficient safeguards in place to protect the data. The ICO fined British Airways 20 million pounds for a breach in 2018. The breach affected 400,000 customers and hackers got hold of log-in data, payment card information and names and addresses of travellers.
What can you do about it?
Now that we showed you that data privacy protection is important, let us show you what you can do to protect it.
Understand your role in the data processing. In order to start the compliance process, you should know which data you’re collecting, what it’s being used for, where it’s being stored, and whether it’s being passed on to any third parties. Understanding all this will help you form strong data protection policies and measures.
What law does apply to you. Find out what laws apply to your business in the region you’re operating in, and to your contractors.
Make sure your employees are familiar with their obligations. Collecting and processing are usually done by your employees, make sure they are aware of the importance of correct data handling.
Use available tools to make your compliance a piece of cake. Anti-malware. Anti-spyware. Email security tools. Encryption. This way you have multiple lines of defence.
Communicate with your customers. Let the customers know why, how and for how long you intend to use their data. Give them an option to opt-out and make informed and voluntary decisions. Being transparent with your customers will make a big impact.
Prepare for the worst. Make sure that doesn’t happen, but if it does establish the procedure to lower the impact of such event.
Contact us. If you are not sure where to start contact us! We can take you through the whole process and make your data processing compliant.