The General Data Protection Regulation (GDPR) changes how consumer data is saved and used. What impact will this new reg have on companies that use geolocation data to monitor their employees and/or customers?
Location data plays a key role in the business-consumer relationship today. Whether it's a shipping company monitoring their drivers' movements to ensure customers receive packages on time or a search engine helping you find the nearest takeout restaurant, location data is a powerful tool.
Ninety percent of smartphone users polled said they used their devices to find location-based services, such as directions or local recommendations. It adds a more personalized, convenient experience, enabling organizations to reach their target customers more effectively.
However, location data can also reveal private information about users, which many are not comfortable with.
The EU's General Data Protection Regulation (GDPR) aims to change the way that consumer data is gathered and used, even if this simply means clarifying the process in jargon-free language.
What impact will this have on companies using location-based data to monitor their own employees and/or consumers?
Location-based data and individual rights
The GDPR will apply to all countries within the EU and is set to unify data regulations into one program.
Businesses and organizations will face stricter rules regarding data processing and security. For example, a data protection impact assessment (DIPA) will need to be undertaken before certain projects can be completed and brought to market.
This is a process designed to ensure businesses and organizations identify and minimize any risks related to their project's data protection. This applies to those applications or systems in which data processing poses a high risk to users, essentially putting greater pressure on businesses to consider the potential repercussions of their service.
The GDPR will affect companies using location data in different ways. For example, a business using fleet tracking will see a change in their right to record data on their employees' movements and performance.
As it is, implied consent has been enough, but under the GDPR, they will need to have legitimate reasons to process employees' personal data.
These businesses will also have to inform their employees of what data will be collected and why in explicit terms. They can only use said information for the purpose specified, store it with fit-for-purpose security procedures, and ensure that employees understand they have the right to ask for a copy of data in which they can be identified clearly (which must be supplied within 30 days).
The price of non-compliance
Companies that fail to meet these regulations could face legal action, with fines of up to €10 million or 2 percent of annual global turnover. Those businesses or organizations that breach individuals rights face bigger penalties – either €20 million or four percent of annual turnover.
Businesses using location data to improve their customers' experience will have to tread carefully too. Facebook, for example, uses your location to provide more relevant advertising, but this can reveal personal aspects about each user.
Visiting a bank will tell data processors who handles your money, attending a church or other religious site will reveal your faith, etc.
This is considered identifiable information, which is classed as personal data under the GDPR (Article 4 (1). "Personal data" covers information that relates to an "identified or identifiable natural person," who can be identified by their name, location data or other revealing information.
"Data subjects" (i.e., anyone whose data has been processed by a business or organization, whether as an employee or customer) have the right to not only request a copy of all data pertaining to them but to request such information be erased.
This means that companies tracking and maintaining location data may need to delete it if the subject does not want their information stored.
A new age of clear consent
Businesses that intend to track location data through GPS apps or tracking devices in employee vehicles or wearable tech will have to update their terms and conditions, so this information is much clearer.
The specifics of what data will be gathered and for what purpose can no longer be hidden in endless paragraphs of confusing language. Instead, all information must be readable and understandable.
This means no more pre-checked checkboxes, which effectively assume a user's consent and pressures them into accepting the terms.
Does GDPR's introduction mean developers can no longer create apps that deliver highly valuable information on local weather, entertainment options or directions? Are businesses no longer able to monitor their employees' driving habits or performance?
These are still permitted, provided they comply with the GDPR's regulations. The new regulation does not aim to disrupt those services and processes that work. Instead, it has been designed to maximize the rights and privacy of the individual, offering a fairer balance of power.
Businesses and organizations that already adhere to an ethical set of practices have nothing to fear by GDPR's arrival. The appointment of a data protection officer, rewriting of terms and conditions and meeting the stipulated criteria may entail extra work, but it's all in aid of a better, stronger, safer system.