Data Privacy Day (European Data Protection Day) is held every 28 January. It is an international effort to empower individuals and encourage businesses to respect privacy, safeguard data and set up a climate of trustworthiness. On this day we try to raise awareness about the right to personal-data protection and privacy. Most awareness-raising actions speak about the necessary steps to protect personal data in the main social networks, browsers and operating systems.
But this depends on the assumption that individuals want to protect their privacy. This is not necessarily so across the board; teenagers, for example, according to a Pew Research Center Study, are sharing more personal information on social media sites than they did in the past. According to European Barometer 431, a large majority of people (71%) say that providing personal information is an increasing part of modern life and accept that there is no other alternative than to provide it if they want to obtain products of services.
This right is enshrined in Article 12 of the Universal Declaration of Human Rights: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
According to Pew’s study “how Americans think about privacy”, control over personal data matters. This was the answer given by 74% of the respondents. But users struggle to understand the nature and scope of data collected about them. This understanding is certainly not helped by the fact that a person would need more than a month each year to read all privacy policies, as Aleecia M. McDonald and Lorrie Faith Cranor stated in their paper “The Cost of Reading Privacy Policies”. GDPR should help here. Under this new regime consent will have to be given by a clear affirmative act confirming the data subjects’ freely-given, informed and unmistakable readiness for their data to be processed. Organizations will therefore have to smarten up their arrangements for presenting these terms and conditions.
Right now, for the vast majority, the opportunity cost is too high. Individuals do not have the necessary wherewithal to protect their privacy. Even SMEs do not have the proper data-protection resources. Privacy should be just another commodity or service feature, to guarantee data security throughout the whole supply chain. GDPR will change not only the way organizations handle personal data and approach their customers about it, but also how they do business with other organizations.
For that reason, organizations are now bearing higher costs to phase privacy by default into their whole processes from the design onwards. To start with, a data protection officer (DPO) must be designated by controllers and processors of personal information according to GDPR Article 37 when the processing is carried out by a public authority or when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”. Working on the assumption that any company with at least 5,000 employees would need a DPO for such processing, the IAPP estimated that at least 28000 DPOs will be needed to meet GDPR requirements.
Author: Sonia Morales Robles
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV