GDPR: EU's Effective Data Protection
Have you ever been bugged by various calls from unknown numbers asking if you wanted to make a loan, apply for a credit card, or just avail of a random promo? How about unauthorized bank transactions or purchases made under your name, which you are unaware of? In this age of digitalization, these personal data are made available in various digital platforms thus, prone to digital theft.
In the early 2000s, digital attacks were already happening around the world. “I Love You” virus infected around 45 Million Windows users worldwide, stealing digital information, which during that time had no direct bills or laws addressing such cases. Over time, efforts have been made to ensure security on digital information.
In 2016, the European Union (EU) enacted the General Data Protection that covers data protection and privacy by creating implementing rules and regulations in handling personal information particular to businesses.
Since then, various countries have adopted similar guidelines, such as the USA’s California Consumer Privacy Act (CCPA) and China’s Cybersecurity Law (CSL), to establish the standard way of collecting information and ensuring it is properly guarded.
Today, in most businesses, data collection comes with consent from an individual. This serves as proof that personal information collected will be for internal use only. This information is stored and can only be accessed by an authorized data processor, commonly from the Human Resource and Information Technology (HRIT) or any approved individual within the organization.
Another classic example, in an Asian setting, amidst COVID 19, data gathering for contact tracing purposes has a disclaimer, stating that information collected will only be for government use. While GDPR is mostly for private businesses, local government agencies are also referring to this. General guidelines suggest that all kinds of data collection need consent since this sensitive information comes as part of human privacy rights.
In large businesses, annual reviews and reminders for phishing sites are being taught and implemented. These websites target unwitting employees on keying log-in credentials and other important information that may leak access to an external party and cause a data breach. Employees are also reminded not to give any information on co-employees or guests without consent.
In today’s environment, access to data has seen major evolutions. There was a time when simple credentials log in using a username and secured with a password were the most dominant feature to data accessibility. Over time, it was updated with features such as fingerprint scan, face scan, and voice scan. Currently, there are custom-made applications that give keycodes to validate a log-in from a device.
Data transfer is also restricted on most occasions. Usage of tools like pen drives, external hard drives, access to universal serial bus (USB) ports, and others are deactivated. Installations of applications and other programs are also limited to preserve and secure the information for company assets like laptops and cellphones. These advancements were added security features to prevent misuse of information.
Some other companies restrict the uploading and downloading of information and applications from the internet since cloud drives, and other online storage facilities can now be easily accessed on the web. All information stored in company assets is regularly updated and stored within the company cloud system, ensuring data security beyond theft and hardware damages from the equipment.
Lastly, depending on the data classification, different levels of authorization and access approvals are also required. GDPR guidelines suggest that all kinds of information, be it personal or professional, should be kept private. The next time a work colleague greets you on your birthday, without you telling anyone, ask him how he got the information since this might be a possible data breach.
Data Sensitivity Classification
Data protection differs on data sensitivity classification. Data are classified as low, medium, and high, depending on their importance and impact within the organization. These data sensitivity classifications rank the information and its severity if such details are leaked or destroyed. International Organization for Standardization (ISO) certified companies use this method and provide solutions to protect data.
Low Data Sensitivity Classification refers to information that can be accessed publicly, like websites, online content, press releases, or published articles where information may or may not directly affect the organization. These are often referred to as Public and can be openly shared with external stakeholders and individuals.
Medium Data Sensitivity classification is often referred to as “internal use only.” These may be emails and documents that employees can share within the organization's premises. These can also be in the form of identity validation keys with names, birth dates, photos, and other records such as schedules, academic background, etc., where information can affect an individual or group of people.
High Data Sensitivity classification is branded with “confidential” information such as financial and personal information, passwords, personal identification numbers (PINs), which information can affect an individual or the whole organization. These are often encrypted that need a high level of authorization before accessing them.
While GDPR defines data as such, other international policies classify data differently. China’s CSL focuses on the protection of lawful rights and interests by protecting personal information, making their high sensitivity details affecting national security or cyberspace sovereignty.
In Asia, data privacy and protection are fragmented, usually on a country-on-country basis, but outlines data protection of personal data and regulations of its use. Depending on what country or region a business operates, data retention and disposition under these classifications also vary.
Data from low sensitivity classification can be disposed of over the span of 1 year while medium to high sensitivity information could be archived between 2-7 years, depending on internal policies or laws. Anything beyond the set standards can be disposed of (hardware and software) and/or digitally archived.
Data Protection Exemptions
While GDPR provides guidelines particular to businesses, protecting the company and its personnel’s intellectual property rights, the guidelines do not cover household engagements and non-commercial sharing of information. Hence, self-precaution in sharing information externally is a priority.
Like meeting a stranger, being careful with your assets and data should be your top priority. Sharing your address with individuals is not advisable unless you already created trust and confidence with these people. Remember that any information they collect, be it through chit-chats or electronic messages, can be used against you.
Be careful of promotions, loan offers, and other external data collectors since GDPR does not govern these. Although other related laws such as fraud exist, it still boils down to an individual being critical in those situations. You can report these activities as spam calls/messages and even to authorities if deemed necessary.
One of the major differences countries have in their data protection, and privacy laws are the definition of providing consent.
It is indicated in the exemptions of GDPR that consent is limited to “freely-given,” “informed,” and “active” whilst it is being contested by other countries, including Asia’s SG and HK for the likes of Google, Amazon, Facebook, Apple, and Microsoft’s for doing “forced consent” feature without an option.
GDPR is an EU-based guideline of data protection. Other countries followed suit and context within GDPR, such as the US CCPA and China’s CSL. In Asia, privacy laws and guidelines are published on a country-to-country basis, but the general concepts are aligned to the above-mentioned pioneers.
As an organization, data protection is a must-have to safeguard your intellectual property rights and other relevant information used to run the organization. Failure to adapt means a higher probability of data leakage and breach, which can cause legal suits and implications against the business.