Twenty years ago, when a customer bought a new pair of shoes, the only information given to the vendor was his or her shoe size. Today, most people shop online. Now, when a pair of shoes is bought online, the seller gets access to the customer’s name, address, phone number, email address, and credit card number in addition to their shoe size. That’s a lot of data.
As the amount of information about customers held by a firm increases, so does the organization’s responsibility for its ethical use. The General Data Protection Regulation (GDPR) is a set of regulations designed to protect personal data from misuse.
Key Elements of GDPR
The GDPR aims at protecting people’s fundamental rights with respect to their personal information. It is applicable to personal data that is processed completely or in part by automated means or data that is part of a filing system. These regulations are described in the form of 99 articles. The key elements of these articles are:
Under the new legislation, brands cannot collect or use personal information unless the customer gives consent for the same. Organizations will need to be able to show how and when they obtained this consent.
Right to be informed
When organizations collect data, they must inform consumers about why they are collecting this data, how it will be used and for how long it will be stored. Consumers also need to be informed of whether or not the information they provide will be shared internationally.
Right of access
Individuals have the right to ask for information on how the data provided by them are being used and processed by the organization. This information must be provided free of charge within one month of a request being made. However, a fee may be charged if the request is repetitive or unfounded.
Right to rectification
It might happen that a customer’s information held by a company is inaccurate. In such cases, the customer has the right to ask the company to make changes to the data in order to correct the inaccuracy. These changes must be made at the earliest.
Right to erasure
Customers can withdraw consent by closing their accounts and request organizations to stop using their personal data. Businesses and organizations will have one month from the time an account is closed to erase all private data associated with the account. Exceptions may be made when the data is being used to serve public interests.
Right to restrict processing
If a consumer believes that data about them has been procured unlawfully or if the data is inaccurate, they have the right to block its usage. The organizations holding this data will have to verify the data and inform the individual of the same.
Right to object
Under GDPR if individuals ask whether their personal data is being used to benefit public interests or for any other reasons, organizations are under obligation to give reasons for the same. They may also restrict the processing of their data for activities such as direct marketing.
Controller and Processor
GDPR defines a controller as the principal entity responsible for obtaining and managing consent with respect to the collection and storage of an individual’s data. The authority or person who processes this data is known as the processor. The controller and processor must maintain detailed records of the data held by them. GDPR also lays down clauses on how the relationship between these two entities must be constructed.
Data Protection Officer (DPO)
Organizations that collect data from their customers must have a DPO. The DPO will act as an advisor to the processor and controller, monitor GDPR compliance and train staff on how the data gathered from customers must be processed to be compliant with GDPR norms.
Notification of a data breach
Despite a company’s best efforts, a security breach may still occur. If this leads to the unlawful or accidental destruction, alteration or loss of personal data, the company must inform the appropriate supervisory authority of the same within 72 hours. Similarly, appropriate authorities must be informed if personal data is accessed or transmitted through unauthorized means.
If a company collects and stores personal data but does not comply with the GDPR regulations, they may face stiff fines and penalties. Thus, unless a brand wants to be in the news for the wrong reasons, compliance with GDPR is necessary. GDPR marks a shift in rights over individual data and hands power back to customers. That said, it is interesting to note that people aren’t uncomfortable with sharing their personal data with trustworthy brands. Compliance with GDPR can, in fact, enhance their buying experience and thus lead to longer-lasting relationships.