(101 Series) The GDPR and What We Don't Realize About Data Protection, or the Importance of Cybersecurity in Our Daily Lives
In this piece, we are diving into what the GDPR truly represents, beyond its legal framework, and exploring how it highlights the increasing importance of cybersecurity in our daily lives. We’ll look at how this regulation aims to protect our personal data, why that matters in a world so connected by technology, and what its implications are for both individuals and companies globally. This is not just about compliance; it’s about understanding the role cybersecurity plays in safeguarding our everyday digital interactions.
If we think about it, the cookie notifications that appear on our phones or computers every time we open a webpage; the option (which we can choose with a simple click) to select what information these sites can use; and the alerts from companies, via email, explaining that their accounts have been hacked or that information has been compromised, along with the steps we can take to avoid being affected—these are all quite recent developments.
However, the vast majority of people don’t know why these things happen, even though they occur daily and frequently.
For a short time, some websites displayed a notice that this was happening due to compliance with the GDPR, a regulation requiring them to show such messages and options. But what is the GDPR, and why is it important?
First, we need to take a step back and go from the general to the specific.
An important aspect of cybersecurity is safeguarding, protecting, and maintaining the confidentiality of all personal information. There are two types of personal information: Personally Identifiable Information (PII) — any information used to infer a person’s identity, including full name, date of birth, physical address, phone number, email address, Internet Protocol (IP) address, and similar information — and Sensitive Personally Identifiable Information (SPII), which falls under stricter handling guidelines and includes social security numbers, personal identification numbers, medical or financial information, and biometric data such as facial recognition.
Although both types of information are prone to theft and identity theft crimes, obtaining someone’s SPII has the potential to be significantly more harmful than stealing their PII. Nevertheless, the theft of any personal information is alarming and very dangerous if misused.
How can we protect personal information?
Morally and ethically, IT teams are obligated to establish safeguards, treat all personal information equally, and protect it to the best of their ability. However, it’s not enough to rely on IT teams being equipped, trained, and having the time to do so — no matter how well-intentioned they may be.
This is why rules must be created to ensure that all individuals have the same rights concerning their data; that companies, whether large or small, have clear and fair rules for handling it; that consistent penalties are imposed for data mishandling; and that authorities in different countries work together effectively.
Surely, then, there are already international standards for how to handle, store, and protect people’s data, right?
Well, no. The closest thing is the General Data Protection Regulation (GDPR) of the European Union (formally known as "REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”), which came into force in May 2018.
So, what does the GDPR do?
The regulation seeks, in essence (and in more words than the three paragraphs above), to protect how all personal information is processed and stored, and it includes penalties for violations.
The GDPR is important because, in addition to covering modern aspects such as genetic and biometric information, it provides a solid legal framework that protects users from the misuse of their data. For example, it stipulates that individuals must give clear and explicit consent for their information to be processed and stored by companies (hence the cookie notifications); there must be a time limit on how long personal information can be stored; companies are required to notify all their users within 72 hours if a third party has accessed that information; and it also establishes the right for users to access, correct, and request the deletion of their personal data (known in IT as the "right to be forgotten"), with no copies kept.
And why does this regulation apply worldwide and not just in Europe?
Well, because the rule states that it applies to all people, entities processing or storing data, and authorities that have contact with EU member states and individuals. As a result, this regulation also serves as a human rights umbrella for a large part of the population, particularly in countries like ours, which have a close relationship with Europe.
So the next time we receive a message about cookies, instead of seeing it as an annoyance, we should remember that our personal data is being treated within a human rights protection framework that promotes responsibility and transparency in data handling.
