How the GDPR Impacts Corporate Responsibility
The EU’s newest data protection regulation is causing sweeping changes across the globe and corporate responsibility practitioners need to take notice
by Cecily Joseph, VP, Corporate Social Responsibility
On May 25, the European Union’s General Data Protection Regulation (GDPR) became enforceable. Regardless of where you live, you’ve likely received numerous emails from companies providing tech-based apps and services you use, informing you that they have made updates to their privacy policies and asking you for your consent to remain on their data base so that they can continue to send you information about their products and services. That’s because the GDPR applies to all companies processing the personal data of individuals in Europe, regardless of where the company itself is based.
The GDPR was designed to increase privacy and confidentiality, and it provides individuals in Europe with the right to better control their personal information, including medical records, bank statements, and Internet searches. While this regulation has greatly impacted the privacy practices of companies across the globe, it is also shaping corporate responsibility programs.
I interviewed Gerard Chan, Symantec’s VP of Legal and head of our Global Privacy Office, to discuss how the GDPR is changing the relationship between privacy and corporate responsibility.
CJ: In 2015, the UN Human Rights Council highlighted in a resolution on ‘the right to privacy in the digital age’ that new technologies could make it easier for corporations and governments to track people and read their messages. At Symantec, data privacy has always been a pillar of our corporate responsibility program. As the head of Symantec’s Global Privacy Office how does your work intersect with corporate responsibility including Symantec’s human rights initiatives?
GC: Symantec takes seriously our duty to protect personal data and we have safeguards in place to ensure that personal information is collected and used in appropriate ways. We’ve seen that keeping personal data confidential and secure can help prevent human rights violations by protecting vulnerable individuals and communities.
If misused, personal information, like location from a GPS signal or phone conversations and texts, can put people at risk. Think about journalists, dissidents, activists, and others whose information could be seized by an authoritarian government. Even in countries without such concerns, sharing sensitive personal data, such as race, religious beliefs, or electronic medical records could lead to discrimination. For these reasons and many others, we know it is our duty to protect the personal data we have access to.
CJ: How does the EU’s new regulation, the GDPR, change or increase privacy?
GC: I’d like to focus on three of the bigger changes. The first is that the GDPR gives individuals in Europe the right to be forgotten – that is the right to have businesses erase their personal data entirely.
The second is that in more circumstances than before, the regulation will require companies to obtain individuals’ informed and specific consent to the processing of their data. In such cases, companies will have to ask the “data subjects”, as the law calls these individuals, to give genuine and free consent before starting to use their personal data. And for the consent to be valid, the data subject must be clearly informed about how their personal data will be used, shared, and stored.
The third is the one that affects companies the most. The GDPR aims to embed data protection in the design stages of products and services, requiring what we call “privacy by design”. This means that privacy and data protection safeguards must be built into products and services from the earliest stage of development, and in many cases they must be enabled and even set to the maximum level of protection and confidentiality by default.
CJ: Do you feel that the GDPR well help better protect human rights?
GC: We are living in a digital world where data can reveal private details about our lives— our thoughts, beliefs, movements and activities. The GDPR is one of the first legal acts to require that digital rights, like the right to privacy, be systematically incorporated into all business operations. The regulation isn’t perfect, but it strengthens protections for privacy and data protection in the European Economic Area and attempts to limit invasions into people’s lives through data, which is critical for human rights today.
The regulation also guarantees some protections from decisions based on profiling and computer-generated decisions. Some organizations including commercial companies and public authorities use algorithms to make decisions about whether a person qualifies for various benefits or opportunities, such as health insurance, credit, or a job. The GDPR is designed to help prevent discrimination and provides a new layer of protection. It gives individuals the right to have a human review any such automated results.
CJ: This sounds like a big shift in the privacy landscape, but will companies all comply? How will the GDPR be enforced?
GC: Penalties for violating the GDPR are enforceable under European law, in some cases even with an international reach. Administrative fines can be as high as €20 million or 4% of annual global revenue, whichever is greater. This really highlights the significance that the EU is placing on data protection and privacy and we’ve seen that companies are taking compliance very seriously. As you’ve likely seen in the news Facebook, Google and others are already facing lawsuits for non-compliance, and the stakes could be worth billions of dollars in potential fines.
Aside from financial penalties, businesses can also receive orders to stop processing data if they don’t comply or violate individuals’ privacy, making it hard for them to operate. This penalty could end up being an even bigger reason to comply with the regulation.
CJ: How can people reading this learn more about our programs?
GC: Symantec as a company took the necessary steps to ensure we were prepared for GDPR compliance. We’ve also created a new privacy portal, which includes information on how Symantec is safeguarding people’s privacy.
Customers can learn more by also visiting our Customer Trust Portal, which describes how Symantec products and services can help our customers achieve their own GDPR and other compliance objectives. We’ve had really positive feedback on both of these portals, especially our Customer Data Processing Addendum, which more thoroughly lays out our commitment to safeguard any personal data that we process on behalf of our customers.