The European Union (EU), takes a much more liberal view on privacy when compared to the privacy laws of the United States. The concepts of privacy between both nations are similar in tone, but the differences lie in the way these privacy laws are being executed. For example, in the US, privacy laws are standard references for information or data privacy statues. In the EU, these same laws fall under a broader category, which covers all scope of privacy, and it is referred to as data protection laws. Furthermore, the EU â€œGeneral Data Protection Regulationâ€ (GDPR) holds all EU companies in various parts of the world including the US to adhere and comply with the EU privacy laws set-forth within the GDPR. By the same token, companies that conduct business transactions in the EU must follow the GDRP or suffer severe penalties.
The EU has different approaches to privacy than the laws we are familiar with in the U.S. Most notably, are the ways in which privacy laws apply to industries across different sectors. In the United States, separate privacy laws apply to businesses based on the type of data they are overseeing; this is known as a sectoral approach. Whereas, in the EU, laws regarding privacy apply to all business sectors equally and without prejudice, which is an omnibus approach to privacy. According to Swire & Ahmad (2012), â€œAlthough there is no federal omnibus law requiring companies to have public privacy notices, certain sector-specific statutes such as HIPAA, Gramm-Leach-Bliley, and COPPA do impose notice requirements.â€ Another approach to privacy in the EU is based on using a data controller. The data controller can be a person or an office designed for such purpose, where individuals can get additional information regarding their personal data, and how that information is being utilized. A critical point about the EU approach to privacy is that one law governs all facets of privacy and it is strictly enforced across all public and private entities.
The GDPR for the European Union supplies additional rights for individualsâ€™ and create more openness to data privacy. Conversely, this provides more transparency of the data being collected, and facilitate consumers in making simplified choices concerning their privacy. In addition, the concepts of â€œprivacy by design, the right to be forgotten; and the right to be informedâ€ covers the totality of consumersâ€™ privacy expectations and the way in which personal data are collected and stored in information systems. According to Dr. Terwangne, â€œthe purpose principle specifies that personal data must be processed for a determined, legitimate and transparent purposeâ€ (2013).
- Privacy by Design â€“ this concept addresses the design of information systems where consumersâ€™ data are being protected within the technology and throughout the lifecycle of a system. It takes into account data privacy in software development, projects, along with products and services, to be compliant with GDPR. It also accounts for both technical and organizational security measures taken to protect the data privacy of consumers. Any company that processes data must consider data privacy in every step of their business. By contrast, there is also privacy by default, which specifies that when a product is released, by default privacy settings will automatically apply. According to ICS (2020), â€œthe strictest privacy settings should apply by default, without any manual input from the end-user.â€
- Right to be Forgotten â€“ requires that a person’s private data be immediately erased when it is not needed for the purpose of processing. According to Intersoft Consulting (2018), the data will be erased when â€œthe data subject has withdrawn his consent, and there is no other legal ground for processing, the data subject has objected, and there are no overriding legitimate grounds for the processing.â€ It is important to note that the subject must request to the data controller to permanently erase the data. It thereby satisfies the individualâ€™s â€œright to be forgotten.
- Right to be Informed â€“ this GDPR right shows transparency between the consumer data collected and how the data is being used by companies. According to Intersoft Consulting, â€œthe right to be informed also includes the duration of storage, rights of the data subject, ability to withdraw consent, and the right to lodge a complaint with the authorities.â€ Furthermore, individualsâ€™ have the right to know with whom their personal data is being shared and for what purposes. Agencies can inform the individual through writing correspondence, or electronically via E-documents.
Red Clay Renovations must align their business practices with the EU GDPR mandates in order to supply satisfactory protection for customersâ€™ data privacy. Five of the recommended best practices that Red Clay will incorporate into their IT security policy for the protection of privacy are:
- Right to be forgotten.
- Privacy by design.
- Data protection officer.
- User consent.
- Data breach notifications.
In closing, the EU GDPR protected the privacy of consumersâ€™ personally identifiable information and established regulations to put control of personal data back into the hands of the sole proprietor. A person has the right to know how their data are being harvested, used, and shared with external entities. Information technology systems must also be designed in a way that protects consumersâ€™ data privacy before, during, and after transactions. Red Clay Renovations can implement the five industry best practices listed above into their IT security policies to better protect the company and individual customerâ€™s privacy, along with their most precious asset, DATA!