Do you value privacy? Most individuals and companies would reply with a clear “Yes!” to that simple question but their actions are often not very well aligned with that expressed attitude.
What are the legal privacy rights we have as individuals?
Before we consider whether ee actually do value privacy, let’s review what rights the law states that we have. This varies around the world but we choose to bear our discussion on the GDPR – because it bases its validity on the European declaration of human rights.
- Right to access: you have a right to know what data an organization is processing about you, why they are doing it, where they are doing it and what the legal ground for processing is. You also have a right to know what the source of the data is, and with whom the company is sharing the data.
- Right to correction: if a company is processing data about you and you think they’re are words in the data, you have a right to rectification. The company can not store and process false data about you.
- In many cases you have a right to erasure. There are exceptions to this, but in the case of consent as legal ground for processing you always have this right.
- You have a right to demand limitation or a complete stop in the use of your data, for example in the case of a dispute. This depends on why the data is being processed.
- The GDPR forbids automated decisions with serious consequences for you as an individual, such as a hiring process or limitation in access to credit.
- You have a right to data portability. Providers have to give you your data in a format that can easily be used with a new service provider.
- Right to information about how the processing is done. Transparency is an important part of your rights.
Do companies actually value privacy?
The biggest threat to privacy in business is perhaps marketing, especially online marketing. Typical practices include
- Tracking customers online using cookies, beacons, etc., and sharing this information with a large number of good parties
- Lack of internal knowledge of legal requirements
These practices are not in the spirit of the GDPR, and sometimes even grave enough to be illegal, and definitely do not show respect for privacy as a human right. Yet, this kind of corporate behavior is still common, in spite of very clear requirements in the GDPR to do better.
Don’t people care?
It may seem that people don’t care, but perhaps equally likely is that they have no idea what companies do with their data.
Here’s an example from the tabloid newspaper Daily Mail. So their readers know that when they consent to marketing cookies, their data is shared with hundreds of marketing companies, that again use these identified to target the same users on other web sites? Probably not.
Does it then make good business sense to disregard privacy and put customers under surveillance? Generally reports indicate that 30% of internet users run ad blockers, and the numbers are rising. Many find that ads and trackers significantly slow down load times and destroy user experience, and at the same time, ads often pose threats as malicious ads bought by criminals have been used to distribute malware.
Can we make things better?
We can, and we must. Some companies are turning privacy into a competitive advantage. Examples of this includes the search engine duckduckgo.com, the privacy oriented browser Brave and even Facebook is trying to make privacy party of their marketing message after multiple cars of bad privacy practices becoming international headlines the last few years.
Companies that want to make privacy a cornerstone of their strategy need to train everyone to know both why privacy matters, and how employees must act to integrate privacy in every business process. This is why Cybehave offers engaging and easy to use training for everyone covering the key aspects of the GDPR. (Contact us at email@example.com to an more about how we can help).
Another key aspect of good privacy management is the need to respond to requests from data subjects in a clear, rapid and secure manner. Managing data subject requests using email will quickly become intractable. Cybehave had developed a cloud bard software solution for this problem making it easy to manage requests and prove compliance.
By integrating privacy practices that do put the rights of data subjects before the wishes of marketing networks, for company can build much stronger trust with customers, and avoid risking huge legal burdens and costs. The way forward is not through secrecy and tracking, but through transparency and respect.
An important first step to better privacy practices in an organisation is to provide adequate training to all employees. Cybehave offers engaging and to-the-point e-learning on GDPR, making sure everyone is aware of what issues need further attention. Contact us at firstname.lastname@example.org if you want to know more.