Information about people and their buying habits has become a critical part of the way organization’s do business, impacting the way goods and services are produced, marketed, sold and delivered. As a result, concerns about protecting the privacy of individuals have led to different laws and regulations designed to safeguard the personal information of consumers.
Among the strongest data privacy and data protection laws is the General Data Protection Regulation or GDPR — a legal framework that sets guidelines for collecting and processing personal information. While the GDPR governs how organizations handle the personal information of people living in the European Economic Area (EEA) — which includes the European Union countries plus Iceland, Norway and Liechtenstein — it can apply to organizations in the US and anywhere in the world if they:
- Process the personal data of EEA citizens or resident
- Offer goods or services to EEA citizens or residents
- Use web tools that track cookies or the IP addresses of website visitors from EEA countries
The GDPR also requires organizations to train their workforces on how to properly handle personal data — an important step in teaching employees how to protect personal information and avoid costly violations. GDPR regulators can issue steep fines and penalties for mishandling personal data — as high as 20 million euros or 4% of the organization’s annual revenues.
What is personal data?
To understand the GDPR, it’s helpful to understand that EEA members view individual privacy as a fundamental human right. So it’s not surprising that the GDPR creates protections that both limit how organizations can use personal data and give individuals certain rights to control how their personal data is collected and used.
Under the GDPR, personal data is any information that identifies individuals, either directly or indirectly, such as names, location, internet activities and email addresses. The ‘data subject’ is the person whose data is being collected or processed. A ‘data controller’ is the person or organization that determines the purposes and means of processing personal data. Personal data is processed when some action is taken, whether it’s automated or manual. For example, collecting, recording, storing, using or erasing personal data.
Raising GDPR awareness
One of the biggest compliance challenges for organizations is helping employees develop an awareness and understanding of personal data issues. Employees often assume that “it’s just information” or that “it’s our data so we can handle it anyway we please.”
Another challenge is ensuring employees understand the organization’s policies and practices that address data privacy issues and GDPR guidelines related to retaining records, data security, customer requests and sharing information with a sister or related company.
There is also another reason to raise GDPR compliance awareness: fines and penalties for violations can be dramatically reduced if an organization can show it put data protection practices in place, quickly identified and mitigated the potential violation and was transparent with authorities about the problem. To be effective, all of these measures need employees who understand basic data privacy issues and feel empowered to raise concerns and questions.
The GDPR, the California Consumer Privacy Act (CCPA) and similar laws stand at the intersection of data privacy trends that reflect the growth in how organizations collect and use personal data, the globalization of business and the concerns that individuals have for how their information is being collected and used. Organizations should make it a priority to provide employees and managers with regular training on data protection and privacy principles and regulations so they can proactively avoid data breaches and costly mistakes that impact organizations across industries and geographies.
Sign up for a free trial of our General Data Protection Regulation (GDPR) Training course: