Exploring the Privacy & Security Regulations that Businesses Need to Consider
Guidelines provide a form of protection, should they remain compliant, as the fallout of a security breach can be devastating to any enterprise
The desire for privacy has always been a high priority for the majority of individuals, and governmental organisations have consistently attempted to protect their citizens' information. The "Right to Privacy" has been recognised as a fundamental human right since 1948, and over the years, regulators have amended and adapted privacy laws to keep up with the new threats presented by data insecurity in the UK and around the world. In order to protect individuals' data from misuse that could lead to private information being shared, and to limit the risk of fraudulent activities, the UK's Data Protection Act of 1988 was the first legislation to hold companies' accountable for how they use, store, and share their customer's information.
From a business perspective, these guidelines provide a form of protection, should they remain compliant, as the fallout of a security breach can be devastating to any enterprise. In recent years, due to the explosion of the internet, novel digital marketing methods, and an increase in social media activity, the amount of data collected by commercial entities has surged dramatically, and updated legislation became a necessity. In 2015, to ensure privacy regulations were suitable for the digital age, the European Union introduced the most robust data protection rules to date; the General Data Protection Regulation - GDPR - to give EU citizens greater control over their personal data.
What Is GDPR?
It's important to realise that because the purpose of GDPR is to protect the data of every EU citizen, it isn't location-based, and instead means that any company collecting data from an EU citizen must be compliant. Given that the information protected under GDPR includes web data, such as IP addresses and cookies, this means any business with a website that could be visited by someone within the EU has to follow the regulations. Fortunately, for companies that already have stringent data controls in place, updating their practices shouldn't be too difficult.
How does GDPR affect marketing activity?
For most companies required to navigate and conform to GDPR, their initial concern is how the rules affect their marketing abilities. Fortunately, from a marketing perspective, there are just three key areas to pay attention to - data permission, data access, and data focus.
Data permission mostly concerns email opt-ins, and GDPR states that any potential recipients of your emails must physically express their consent in a "freely given, specific, informed, and an unambiguous way" before you send anything. This means giving people an explicit action to take - like clicking an unfilled checkbox - to opt into any marketing materials.
Data access mainly entails giving people an easy way to access all of the data you hold on them, while also making it straightforward to request its deletion. As a marketer, this can be as simple as including a link to unsubscribe on your correspondence, and an option to manage their marketing preferences.
Data focus is the requirement that companies must be able to legally justify the data they collect and process; however, this isn't as difficult as it may seem. To remain compliant, companies just need to ensure they're only collecting personal data that's relevant to their marketing - while some information might be nice to have, if you don't think you could prove why you need it, it's better not to ask.
What are the ramifications of non-compliance?
While it might be tempting for businesses to ignore GDPR based on inconvenience or cost, it's worth pointing out that the penalties for non-compliance are steep, and more than a few well-known companies have already paid the price. The most notable business to fall foul of the new laws was Google, who were fined €57 million for lack of data and advertising transparency, but Uber was fined €600,000 for failing to report a data breach within 72 hours, Flybe was charged €70,000 for emailing customers who had unsubscribed, and Facebook is currently under investigation. In many cases, a warning will be issued before a fine, but it's also possible to be banned from processing or transferring data - temporarily or permanently.
Privacy & Security trends in Southeast Asia
If a business operating in Southeast Asia has to worry about being compliant for EU citizens, what other regulations do they have to be aware of?
In Singapore, the Personal Data Protection Act 2012 lays down the law on data protection. In addition to establishing a general data protection regime, the Act also regulates telemarketing practices. The PDPA, that came into force in four stages between January 2013 and July 2014, governs the collection, use and disclosure of personal data in Singapore. It clearly defines the nine business obligations, including consent, purpose limitation, notification, accuracy, protection, retention, access & correction, transfer and openness limitations.
Regionally, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework aims to create standardised rules; however, only nine countries are a part of this bloc, and many Asian countries have yet to develop their own guidelines. Because it's the strongest data protection legislation in the world, adhering to GDPR means a company is guaranteed to be compliant wherever they're operating for years to come, so it's by far the best standard to meet.
For now, complying with GDPR is the best way for any company to ensure they're meeting all legal standards for data protection, and that's likely to be the case for the foreseeable future. While it may seem like a daunting task, a lot of the pressure is taken off once the first requirement is met - employing a Data Protection Officer. For companies who aren't obliged to hire a DPO, it's still recommended to designate the responsibility to someone and invest in Privacy & Data Protection (PDP) training for them.