Who is Collecting Personal Data and Where Does Corporate Responsibility Lie?

In the wake of the Cambridge Analytica/Facebook scandal (where 87 million users’ data were acquired for political purposes), personal data has yet again become a diamond in the eyes of the media. And with GDPR being about one month away, it is time to really discuss who can access personal information and for what purposes.

Today, it is not uncommon to receive an email from businesses one has never even heard of, who has obviously obtained names and data from other companies – the personal data miners or data brokers, as they are called. These matters can be annoying rather than harmful.

But… What if data brokers sold information to universities, hospitals, or recruitment companies for example? This could lead to people being denied medical treatment, losing a job opportunity, or not getting into an educational program because these institutions have gotten indications that the said person won’t be able to pay, or have ended up on a record for drug users. That’s were trading with personal information becomes harming.

Who is collecting your personal data?

For a long time, it’s been quite a secret world, selling personal data. And a very lucrative one at that. Some have even compared personal data to being “the new oil”, seeing as there is a fair amount of money to be made trading this information.

An article published by the magazine Newsweek defines that the expected amount of companies buying and selling personal information in the US are between 2,500-4,000. However, what the data is being used has no statistics.

An opinion piece published by CNN recently stated that surveillance capitalism, done by companies like Equifax (who was in the news a year back for a big cyber attack), is able to work because of companies like Google and Facebook. If a person gets a service they’re not paying money for, it is sure they’re paying in another currency when they accept the terms and conditions.

The responsibility of corporations collecting personal data

There are not only the tech giants gathering personal data, all companies with a customer base do it. No matter the size, a company collecting personal information needs to take responsibility. There is no debate or argumentation about that cause.

The bigger question is what can be done on a corporation’s side to meet the privacy regulations. It needs to be understood that personal data is an asset and at the same time a liability. The GDPR can be viewed as a fire extinguisher to personal data moneymaking because now there are hefty fines to expect if personal data is not handled correctly.

Small offenses could result in fines up to 2% (or €10 million) of a company’s global turnover. Larger offenses with more serious consequences can result in fines up to 4% (or €20 million) of the global turnover. This way, companies are scared straight to keep confidential personal data secure.

Personal data privacy in the USA vs Europe

To make sure private information is kept safe, there is importance in where companies and servers are kept. The first point, there is a difference in mindset between American and European companies. The second point, there are different regulations within the different continents.

With the statement that privacy and data protection are both fundamental rights, the European Union has decided to make sure that its somewhat 510 million people now will have the same legal and digital framework. Therefore, anyone working with companies that keep information about the citizens of the European Union now needs to comply.

According to the GDRP, data transfer to a third party outside the EU that does not have adequate data protection standards is only allowed under exceptional circumstances. Therefore, a server located in Europe (or one of the other 11 countries that meets EU standards) is crucial.

One month to comply with GDPR

GDPR goes into effect on May 25th where the focus will be on permission and transparency. The General Data Protection Regulation means businesses have about one month left to comply and get in line, leaving them to no longer have the right to handle European user data as they wish. The GDPR will put obligations on data controllers, forcing them to explain to people what personal data they aim to collect and why.

This regulation is supposed to help users better understand the ways they are surveyed online by emphasizing consent, control, and have clear explanations. Leaving the common person empowered and in charge of their own data, while companies will need to adapt.