THERE ARE ONLY TWO TYPES OF COMPANIES: THOSE THAT HAVE BEEN HACKED AND THOSE THAT WILL BE HACKED.- ROBERT S. MUELLER – FBI DIRECTOR
Privacy, data protection and digital economy What does it mean? An obligation? Human right? A business management model? Although these three concepts have been heard in different forums, exposed by various sectors, and criticized and applauded, why have these trends been a trend in recent years?
These concepts could lead us to talks from different points of view that, by way of example, we can summarize it in the following way:
Privacy– Scope of personal life related to an individual.
Data Protection– The right of a person to freely, informally and autonomously decide with which organizations, public or private, to share information related to their person.
Digital Economy– Ecosystem involving media, information technologies and users.
Now, we can determine that these concepts converge in a new way of relating to each other, be it between people, computer media or the way in which I do business.
Nowadays, for a good number of people it is common to have integrated in your mobile device, e-mail, instant messaging applications, social networks, applications of financial institutions, health apps, transit and road applications, among others. Similarly, it has become common to hear public cases such as Facebook and Cambridge Analytica; in Mexico, cases like that of a consultancy, that of a political party; the one of a medium that generates contents or the classic call of x company to which we have never given our data nor have we contracted any service, but that in some way have been able to contact us to our number (house or mobile) to offer us a product or service.
So many cases and situations that we could have, but then the question is: how can I prevent my organization from suffering information theft? Regardless of whether this is a company that is more than 20-50 years old or a startup that is just developing its business model.
How can data protection be translated for an organization? On the one hand, it can be conceptualized as the obligation to protect a human right or also part of a business management model, protecting one of the most important assets of organizations, information.
In Mexico, the Data Protection Authority is the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI- before IFAI-) created in 2012, which regulates the regulatory framework on the management of personal data in possession of individuals.
Perhaps the simplest to place within this normative framework is the privacy notice, a commonly extended document that few of us give ourselves the opportunity to read, because it handles a technical language that is not always easy to understand; This document, without a doubt, is part of compliance with one of the obligations established by the regulatory framework, but only represents 5% of the total of all obligations to be met.
Organizations must meet a legal obligation and adjust to the way in which data management evolves as fast as the technology used. The tendency to develop the business of the organization places them in need of having personal data, so that they can reach the final consumers in a more precise way. This situation leads organizations to adopt data protection schemes and processes, with the intention of taking care of a valuable asset and protecting a human right.
Currently, the way to manage information can be through physical or electronic means, whose processes involve the staff of the organization, security measures, applications, mobile devices, etc.; therefore, data management is accompanied by an inherent risk, which can not be completely eliminated, but can be minimized.
In May 2018 the Data Protection Regulation (RGPD or GDPR in English) came into force, whose application includes organizations with a physical presence in the European Union (EU), as well as those that do not; whose level of demand for compliance is HIGH. Failure to comply with the provisions of the RGPD, includes economic sanctions between 2% and 4% of the annual profit of the entire organization worldwide, as well as the prohibition of doing business in the European Union.
Likewise, in January 2020, the regulatory framework entitled “California Consumer Privacy Act” is expected to come into force. In general, organizations with a physical presence in California, in another state or country, are obliged to protect the information. of California citizens, granting diverse rights to them and whose non-compliance foresees fines and, in some cases, collective demands.
Beyond the fines and the amounts they represent for noncompliance, organizations should consider that there is a reputational risk to their brand or organization, resulting in a decrease in annual income or, perhaps, leading to bankruptcy.
In conclusion, there is no doubt that technology is developing rapidly and that the data, in any business model, represents a competitive advantage for organizations, which has led several countries to have laws focused on protecting people’s data, in which cases the benefits to be fulfilled are higher than omitting the obligations.