The General Data Protection Regulation (GDPR) is coming into effect on Friday, May 25, although this is not the end of concerns for the management of personal data. Large and small businesses are still not clear on the new security regime while a civic group is launching a campaign to reveal which companies maintain hidden data ecosystem, exploiting individual data without consent.
What has the GDPR is doing
Companies using exploiting personal data for purposes that have not been explicitly authorized by citizens face fines. Multinationals face up to €20m fines or 4% of their global turnover, whichever is bigger.
The issue goes beyond “consumers rights” and goes into citizens’ rights.
The GDPR is the new regulating regime that guarantees that data collected by companies from individual citizens cannot be exploited or sold without the expressed authorization of the individual concerned.
Consent must be explicit.
Companies will need to inform clients and potential clients exactly how their data is being exploited and what kind of data a company maintains on them.
Companies exploiting data under the radar
As the GDPR comes into force, the civic advocacy group Privacy International (PI) is launching a campaign to unveil which companies facilitate mass/big data exploitation without the consumers’ explicit consent.
Who has access to what data is impossible for individuals to monitor, especially as there are companies that seek out and integrate data on individuals that are out there, but not for commercial exploitation. Information shared on Facebook, or pictures is a good example.
On the day that GDPR comes into force, PI is launching a campaign to investigating and monitor hidden data ecosystems comprised of thousands of non-consumer-facing data companies – such as Acxiom, Criteo, Quantcast. Such companies “mine” personal data from other companies and sell them to interested parties.
Such companies should normally not be able to exploit individual data for purposes that have not been explicitly authorized by the owner of the data, or even their knowledge. Otherwise, companies whose services we have access to personal data, ranging from how many sweets we buy to what school our children go to.
In a written statement, PI’s legal officer, Ailidh Callander, welcomes the GDPR coming into effect, noting that the new regulation should empower “individuals, civil society, and journalists to fight against data exploitation.”
This is not about data we knowingly disclose for specific purposes, but data such as the nature of our social networking. Banks in some countries are now able to buy network profiles that they integrate into credit-rating profiles. In sum, who you talk to can affect whether and where you can buy a house. And that is a timely discussion.
The emerging battlefield of data-ownership
It is not just big technology behemoths like Facebook that are worried.
European banks will not only have to face GDPR but must also adjust to a seeming contradicting set of regulations – the so-called PSD2 regime – that stipulates they need to share client data with third parties, if a client authorises them. That regime comes into effect in 2019.
Banks argue that passing on data under PSD2 means they cannot guarantee citizens’ rights under GDRP. This is difficult to argue as explicit consent by the client is still involved.
Financial industry firms that may want the data – say a credit card issuer that wants to compete – can gain access to your credit profile with your consent.
However, the bank cannot guarantee that the data will not be exploited by criminal gangs and will argue some data is sensitive if only to hold on to their clients. So, the question here is who is liable if something goes wrong and there is a data-leak.
Lenders want to hold on to their data, not only to protect customers but also to avoid losing them. Naturally, to share data with banks, financial technology companies will need to have a security infrastructure in place, but the fight over data is at the heart of the emerging economy.