Lately, our personal data has become a trading good, collected and used by companies and governments. This raises concerns about our fundamental right to privacy and who we should trust with the control of these data. Personal data are targeted for product designs and customer needs alignment. This is the reason why consent over how personal information is managed is important. Digital interconnectivity and tech progress are important, but so are our civil liberties. Obtaining an equilibrium between commercial gains, data safety and privacy rights is a constant challenge.
Since 2018, EU-based legal entities collecting and storing private data must be GDPR compliant. Personal data collection plays a strategic role and offers business customers’ behaviour insights. However, if they don’t comply with GDPR provisions, data collection will ruin their reputation and expose them to financial risks.
Personal data is private information we can identify with like our names, email addresses, phone numbers, locations, and credit card data. In the EU, the privacy rights protected by GDPR mainly refer to the protection, access, and correction of personal data. GDPR’s provisions allow us to see who has accessed our private data and what they have done with these data. GDPR’s role is to prevent the misuse of personal data. The verification of compliance with their provisions as the rising number of fines proves it.
Exposure to risks because of lack of transparency
Data usage has significant legal and reputational implications for businesses, regardless of scale. Both big and small companies may face public suspicion and legal penalties if they do not disclose how they collect, store, and use data. According to GDPR, users should be informed and have consent choices for their collected private data. Even small websites that use third-party companies or analytics need cookies and collecting data terms.
Browsing data can be converted into marketing tools to predict future choices of customers. Cookies can collect data like IP addresses, login data, geo-locations, time on web pages, and bookmarks. All these browsing data are potentially private information depending on the business’s operations and the type of cookies accepted.
These regulations affect the business relationships with countries outside the EU if they want to collect data from EU citizens. Most companies processing personal data inside the EU or doing business with companies outside the EU have responsibilities under GDPR. Any type of organization located or with legal branches in the EU must comply with GDPR. Also, companies outside the EU that offer services involving processing the personal data of EU citizens have the same obligations. If these organizations are providers based outside the EU and are targeting EU customers, they are subject to the GDPR.
An initiative to review GDPR due to cross-border disputes and differences in national administrative procedures is on the way to be adopted. The purpose of this year’s review is to increase clarity of regulation interpretations and facilitate consensus between different states’ regulations.
Hiring requirements and personal data
Information such as ethnic origin, biometric data, state of health, or disabilities is sensitive data that can raise real concerns about privacy and safety. Recruitment agencies and employers handle the selection and hiring process online and ask for the candidates’ consent for these data.
Consent and contractual obligations are two of the most important reasons to process private data. The consent requires processing data for a clear and specific purpose. There are conditions in which the consent must be given. It should be voluntary, specific, informed and with a clear affirmative response. Data processing requires organizations to make it easy for people to withdraw their consent to protect their privacy. For instance, the purpose of data processing can change at any given moment.
Most companies use Application Tracking Systems (ATS) to solve these privacy issues that are now a constant and repetitive task for HR. People provide employers with a CV, social media profiles, and possible copies of professional qualifications. So, employers can collect and process the data under GDPR provisions and ask candidates for clear and specific consent.
Personal data and balance between interests and privacy rights
The contractual obligations are another reason for personal data processing. Whenever we sign a contract, personal data are involved. That is why we are to respect GDPR and the legal requirements involved. So, for example, if you signed an employment contract that employer company will need to process your data to comply with its obligations as part of the employment contract.
Lawmakers are trying to balance the businesses’ legitimate interests in data analytics and people’s privacy rights. The imbalance is created because of what they want to offer and our willingness to grant them access to our private data like location, phone number, email, and other personal data.
Lawful reasons to process personal data
According to GDPR, legitimate interests should be the main reason for asking people for their consent. But, this so-called legitimate interest comes and goes, and the request for consent becomes a repetitive task for companies that process personal data. Each EU country has a supervisory authority to process and implement compliance with the GDPR provisions, as requested.
However, we are moving back and forth between our privacy and the necessity of data processing from a security or business operations point of view. In this context, the GDPR basic principles like purpose specification, data minimization, and transparency requirements for systematically collecting data become basic provisions generating balance.
Why should we be interested in companies having GDPR implemented?
- Trust. By applying and enforcing private data regulations companies might gain the trust of their customers and employees, and be perceived as trustful guardians of the private data.
- Protection. Whether customers or employees, we entrust them with sensitive data with the risk of being misused. Regulations provide a framework to handle abuse and possible misbehaviour.
- Control. We gain some control over the personal data provided to the different legal entities through your right to request deletion or correction of our data. For instance, during a recruitment process, you can withdraw the consent, if you are not interested anymore or you simply change your mind.
Depending on the organization’s complexity personal data regulations are not easy to apply. There are still debates about how and when it should be implemented. However, protection of personal data will always matter because sharing it comes with benefits, but also with risks. If we value our privacy, we’ll always need to be aware of the data protection regulations that apply to us.