Data is the most important asset for organizations globally. Most organizations fiercely guard their data, yet despite their best efforts, incidents of customer data being compromised are not unheard of. Why does an organization, despite its best efforts, face such a colossal task at protecting their most precious asset?
There is a multitude of answers to the failure to protect customer data. Few of them are lax security measures, not adopting best practices to secure data, and in some cases, turning to unscrupulous practices to make a quick gain.
Ahead of World Consumer Rights Day on March 15, we take a look at two regulatory data protection laws, and their impact are protecting the interests of the customers. Governments worldwide have woken up to the menace of data theft. More steps are being taken, and governments in EU, Americas, Asia-Pacific are introducing legislation to curb data-related crimes and are empowering the consumer.
Two regulations that were introduced in this regard are General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). These regulatory compliances were introduced by the European Union (EU) and the state of California, respectively.
Understanding General Data Protection Regulation (GDPR)
GDPR was introduced in May 2018 to protect the data of EU citizens. GDPR applies to any firm that is involved in the collection, processing, and dissemination of data. GDPR ensured customers have the final say in how their data is collected and used. Through these rights, data subjects can make a specific request and be assured that personal data is not being misused for anything other than the legitimate purpose for which it was originally provided.
Non-compliance to GDPR can invite fines of up to 20 million euros or 4%of the company’s annual revenue, whichever is higher.
How does GDPR affect businesses and their collection of data?
GDPR grants eight rights to customers that govern the collection of data and their use by marketers.
1) Right to Information: Allows customers to know how a business is collecting and using their personal information and the reason behind it.
2) Right of Access: Customers are allowed to access their data and get copies of the data that are being used by other organizations.
3) Right to Rectification: Customers are allowed to access and make changes to their personal data.
4) Right to Withdraw Consent: This allows customers to revoke earlier permissions to organizations that would have processed their data.
5) Right to Object: Under this right, customers can object to the processing of their personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when a customer asks that his or her personal data should not be processed for certain purposes while a legal dispute is ongoing in court.
6) Right to Erasure: Customers can ask organizations to delete their personal data and prohibit their usage.
7) Right to Data Portability: This allows customers to ask for a transfer of his or her personal data back to them or to a third party. The data transferred should be in a structured and machine-readable format.
8) Right to Object to Automated Data Processing: This right allows customers to object to decisions arrived at using automated processing. In such instances, the organization may have to review the request manually. For example: Using this right, a customer may ask for his or her request (for instance, a loan request) to be reviewed manually because he or she believes that automated processing of his or her loan may not consider the unique situation of the customer.
Besides these rights, the organization must perform a data protection impact assessment (DPIA) before processing personal data and inform users whenever a data breach takes place.
Who Can Make a Rights Request, and How?
Rights to a request can be made by an individual or an individual’s legal representative. Such an individual could be a customer, an employee, or personnel of a supplier working for the company. Also, such a request should usually be made in writing.
Understanding the California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The law went into effect in 1st January 2020. Introduced in 2018, the Consumer Privacy Act (AB 375) allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. The CCPA takes a broader view than the GDPR of what constitutes private data. The challenge for security, then, is to locate and secure that private data. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Although, at first instance, it may appear that the CCPA is less strict or severe compared to GDPR, it does demand a set of requirements to be fulfilled. These companies serving Californians must have an annual turnover of at least $25 million. Of this 50%revenue must be generated from the sale of Californian consumer data. Also, institutions that have data of 50,000 people and above fall under this law’s purview. Companies don’t have to be based in California or have a physical presence there to fall under the law. Organizations not based in the US to fall under CCPA.
What Rights CCPA Give To Customers?
1) Right to Notice: Right to Notice is also called as the Right to Be Informed. Under this organization are required to notify customers about the categories of customer information they are collecting, while or before collecting it.
2) Right to Access/Disclosure: Under this right, customers can ask organizations to disclose the personal information they’ve collected in the past twelve months. Organizations should also provide their sources and purpose of information collection.
3) Right to Opt-Out: This right allows customers to ask businesses to stop selling their personal information to third-parties. CCPA defines sale as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating customers’ personal information.
4) Right to Request Deletion: This right allows customers to ask organizations to delete their personal information collected from them in the past twelve months. However, there are restrictions wherein organizations can retain information for security and legal reasons.
5) Right to Equal Services and Prices: This right prevents organizations from discriminating among consumers by charging different prices or denying products and services. However, organizations can choose to lure consumers into sharing their data by offering them financial incentives for providing personal information after receiving their due consent.
What Is Kind Of Information Covered Under CCPA?
1) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
2) Commercial information including records of personal property, products or services purchased.
3) Biometric information.
4) Internet or other electronic network activity information and Geolocation data.
5) Professional or employment-related information.
6) Education information.
What Steps Can Organizations Take To Comply With GDPR and CCPA?
There are similarities as well as differences between CCPA and GDPR, but implementing a few practices can help organizations avoid mammoth fines and stay out of legal hot water.
CCPA and GDPR both require organizations to update and post their privacy policies online. These need to be updated with information of any third-party with whom information is being shared.
2) Information Collection Process Must Be Documented
Both CCPA and GDPR require organizations to detail what information is being collected from customers, the manner in which the information is collected as well as the reason for collecting such information. The unnecessary hassle and legal scrutiny can be avoided by organizations if they choose to document the process so that satisfactory reason could be provided in case ofa verification.
3) Update/Redesign Opt-In Process
Regulations demand explicit user consent before acquiring information from customers. No organization can assume the fact that customers have already given their assent for the collection of information while filling a questionnaire or any form. To ensure compliance, organizations are bound to keep default fields blank and mention that the customer’s decision is final and the form cannot be submitted until they mention whether or not they want their data collected.
Is There Any Difference Between Privacy and Protection?
Most security professionals, at one glance don’t see the inherent difference between privacy and data protection. However, the new rules and regulations have chosen their names carefully. One focuses on customers. Another focuses on data. The regulations are about the safeguarding of an individual’s data and the protection of that data against loss, abuse, and misuse
Customers are the lifeblood of any modern digital business, and therefore, safeguarding that data is essential to the success of the modern enterprise. Customers buy from companies they trust, and companies that can’t protect their most important asset, i.e., their customer data, can’t guarantee the loyalty of those customers.
CCPA, GDPR, and similar global privacy regulations elevate the importance of personal information in the enterprise. These regulations will better equip organizations on the best practices when it comes to collecting and sharing customer data, and protecting customers by protecting their data and ultimately them. To know more about what is fintech and fintech trends, you can download our latest whitepapers on Security.