Much of the news coverage of the European Union's newly enacted General Data Protection Regulation (GDPR) focuses on stiff fines—up to 4% of annual global turnover—that businesses serving the EU may face for compliance failures. While avoiding costly penalties is a powerful motivator, we think many of these articles miss the larger point:
Today’s consumer culture demands that businesses be transparent about what personal data is being collected from customers and how it’s used by a company.
At Carbonite, we are glad to have undertaken this compliance effort, we believe it’s the right thing to do, but we won’t pretend it’s been easy. In fact, we believe that when the law went into effect today, the GDPR journey just began.
Historically, companies haven't done a good job of telling customers exactly what personal data is collected, who it's shared with and how it's used. Perhaps that’s because, for some companies, the truth about what’s collected and how it’s used might make the average consumer uncomfortable. But more often than not, we think it's because capturing an accurate inventory of the data collected from a customer, the functions and names of company employees who have access to that data, the purposes for which its used, and who its shared with outside a company, is just a complex, dense, ever-changing, and thankless assignment. Nevertheless, too many companies that we trust to store our personal data securely and privately, like Yahoo, Equifax, Uber, Target and Home Depot, have been the victims of cyber breaches and this has created the need to be more thoughtful and proactive about safeguarding customers’ personal data.
GDPR, while not perfect, attempts to address these concerns. The drafters of GDPR should be commended for taking on the herculean task of drafting a law that attempts to reflect the modern technological age we live in. We’re all in this together now, so let's take a closer look at what GDPR is and the steps Carbonite has taken to comply.
What is GDPR?
GDPR is the European Union's new data protection regulation. The law replaced the EU Data Protection Directive and puts in place a new (or, in some cases, enhanced) set of rules designed to give people more control over their personal data. Personal data is broadly defined to include any kind of data that could identify an individual, such as name, address, e-mail address, contact details, employment records, device IDs, cookies, IP Addresses, RFID tags and location data.
All organizations that conduct business within and into the European Union are subject to GDPR, regardless of where those organizations are actually headquartered or domiciled. Under GDPR, not only must businesses ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obligated to protect it from misuse and exploitation.
For more information about GDPR, check out our whitepaper.
Under GDPR, organizations must be transparent about their data handling processes, and this is why everyone has been on a tear to update their privacy policies, and why these privacy policies have in most cases increased from two pages to ten pages. The updated privacy policies are required to provide new disclosure to customers about what personal data a company collects from its customers, how it’s used and who has access to it.
This hasn’t been easy for companies to do. Using the example of you or your family, could you easily jot down all of the people, schools, healthcare organizations, stores, restaurants, etc. that you have given your personal information to, and exactly what information you gave to them? It is a monumental task, and that is what GDPR has required of companies: The monumental task of detailing all the information we collect from customers, how it’s used, and who it's shared with.
How Carbonite complies with GDPR
At Carbonite, we began our compliance efforts by first trying to capture specifically what personal data we collect from customers and users and how it’s being used within Carbonite. We did this by creating a data map, a living document that details the types of data we collect from customers, and maps that information to who has access to that data in and outside of Carbonite. We also tag the data with an explanation of how it’s used. We then created a program that endeavors to continuously update the Data Map.
We learned a lot while creating our Data Map. One of the most important lessons we learned is the importance of collecting only the personal data that is necessary to deliver our valued products and services. Our primary goal as a business is to safeguard the data that businesses and consumers protect with Carbonite products. We use personal data to make sure customers receive important product information, updates and special promotions.
And perhaps most important, we enacted these changes with all of our customers in mind, not only those located in the EU. At Carbonite, we believe everyone worldwide should benefit from transparency in data collection practices: what personal data is collected, how it’s used, who it’s shared with.
We hope you’ll work with us as we continue to refine our privacy program and we promise we’ll continually work to make these programs better, stronger and more protective of you, our customers.
Danielle Sheer is General Counsel at Carbonite.