You can’t have customers in the e-commerce world without collecting personal data. Even processing a credit card for an online purchase using a guest account requires you to collect some personal information and hold it for a certain period of time. When you collect personal information, you’re required to comply with data protection regulations that apply to that information, such as CPRA, LGDP, and GDPR. And ignorance of the law is not an excuse for not complying with the law.
Not Knowing Is Not an Excuse
Recently, a prominent online public comment sharing platform that also engages in programmatic advertising found this out the hard way. Used by several Norwegian newspapers, it collected and shared personal information with third parties without informing the users that it was doing so. Last week, the Norwegian Data Protection Authority issued a statement that it intended to fine the firm €2.5 million for violations of the GDPR requirements of transparency, information, and legal basis for processing. The firm said that it wasn’t aware that the GDPR applied in Norway, but the Norwegian DPA still applied the fine.
What Most Companies Don’t Know About GDPR
The firm is an American company, and Norway isn’t part of the European Union, so why did GDPR apply?
- The European Economic Area (EEA) – Norway is not part of the EU, but it is part of the EEA, which also includes Iceland and Liechtenstein. The GDPR includes EEA countries. To make it more complicated, GDPR doesn’t apply in Switzerland and the United Kingdom, but both countries have adopted similar laws. As a result, if you process data from the EU, Iceland, Norway, or Liechtenstein, you need to comply with the GDPR.
- GDPR is extra-territorial – GDPR applies if you are processing the personal data of any EU or EEA resident, no matter where your company headquarters. Data protection regulations apply to the data subject, not the company processing the data.
Meeting Data Privacy Regulatory Requirements
Data protection regulations may use different terms, but the fundamentals are the same. For our example, the company didn’t take the necessary steps to protect personal data, nor did they notify people that they were collecting their information, and they weren’t transparent about how they used it. If they’re required to comply with CPRA or Brazil’s LGPD, they could find themselves facing a similar situation.
GDPR is the gold standard of data protection laws, and most regulations have some similarity to GDPR. Data Subjects (or consumers or patients or however the law defines the individual) in California, Brazil, and many other places have basic rights that cross the regulations. The right to notice, aka notification or transparency, is in the CPRA, HIPAA, GDPR, and LGPD.
You Can Protect Yourself
With so many data privacy regulations, it’s challenging to stay on top of all the requirements. At Very Good Security, we’ve developed a revolutionary way to secure personal information with our Zero Data Approach.
VGS intercepts data as it’s collected, creates a real-time “alias” (an advanced form of token), and enables you to have full operational data functionality without having to invest time and resources in building costly infrastructure to secure the data yourself. VGS simply removes the burden of data protection from your technical responsibility and legal liability. Secure the data in your VGS vault and let your systems handle only the aliases, eliminating the risks of any data breaches or unintentional leaks.
VGS also automates compliance workflows such as automatically mapping security controls, monitoring and reporting controls status, and evidence collection. By working with VGS, you gain best-in-class security that can significantly reduce your compliance certification tasks. GDPR and other privacy compliances become fast and easy, letting your teams focus on growing your business and profits.