You’ve likely heard about the General Data Protection Regulation act pushed out by the EU recently. If you’re from Europe then chances are you’ve been bombarded with emails about it. It’s all kind of boring though, so you could be forgiven for not reading into it too much. As boring as it might be, it’s still a very important piece of legislation and it’s one you should know about. With that in mind, here’s everything you need to know about GDPR.
What is GDPR?
Let’s start with the obvious and explain just what the GDPR are. It’s a piece of legislation that the European Commission passed in April 2016. Companies were given two years to comply with the legislation, which goes into effect on May 25, 2018.
GDPR was designed to replace the previous law known as the Data Protection Directive and it aims to create a single set of rules for European Union member states. It aims to give consumers more control over the personal data companies collect about them. Not only does the legislation affect organizations based within the EU itself, but it also applies to companies outside of the EU if they provide services to – or monitor the activities of – EU citizens. As you can see, it’s going to have a major impact felt around the world.
How Did All This Come About?
The GDPR is one of the latest EU parliamentary measures designed to protect personal data as much as possible. The EU Charter itself states that protection of personal data is a fundamental right associated with protection of one’s natural person.
While American laws tend to be in favor of businesses more so than consumers, the EU takes a consumer-first approach. The Data Protection Directive and the Organization for Economic Co-Operation and Development (OCED) started the process and now the GDPR continues it.
Make no bones about it; the EU cares a lot about protecting consumer privacy and they always have. It has now paved the way for this approach to be taken globally thanks to the GDPR, it’s policies, and the punishments for those that break them.
What are the Key Policies?
A key focus of the legislation is strengthening the conditions of consent. This means that companies are no longer able to get your data out of you by using vague and confusing statements. They will also no longer be able to make users consent to several things at once. Users should be able to consent to individual things individually, rather than being presented with a list of things and then being asked to consent to everything at once. On top of this, a parent or guardian must consent to data collection on children aged under 16.
Another GDPR rule says that companies must notify their data protection authority about any breaches within 72 hours of them becoming aware it happened. Those in charge of processing data must notify customers as soon as possible once the breach has been discovered.
Consumers will also be given more control over their user data. They will have the right to access the personal information that companies store on them and find out what the data is being used for and where it is being kept. It also gives users the right to be forgotten. That means that you have the right to ask people to delete the information they have on you and prevent third parties from getting access to it. It also allows for people to transfer their information between service providers easily.
How Will it Affect Individuals?
While consumers are given more control over their information and are given the right to be forgotten, there are some gray areas about how all this applies in reality. In theory, the law would allow for people to demand that social networks such as Facebook completely delete their profile permanently. How feasible this is remains to be seen. There are also other problems, such as the freedom of expression. Laws built around the freedom of expression prevent this right to be forgotten from extending to news articles.
Will There Be Punishments for Breaking GDPR?
There will be some potentially major fines associated with breaking the rules of the GDPR. Organizations that breach the rules will be subject to fines of up to 4% of their annual global turnover or 20 million euros (around $25 million), whichever figure is higher. Given that some tech companies such as Facebook and Google make billions of dollars each year, this could be a potentially massive fine.
How Does GDPR Affect Firms?
Organizations have had two years now to prepare for GDPR, so hopefully the impact won’t be as big. Big tech firms such as the aforementioned Facebook and Google have already opened up about what they plan to do. These are organizations that handle huge amounts of data and so preparation has been key. Facebook in particular released a new set of privacy tools to help their organization comply with GDPR and other companies have released their own plans and tools.
Is There Anything Else Businesses Should be Aware Of?
Don’t be too worried about the changes though. The Information Commissioner’s Office insists that these new measures will retain many of the same principles and concepts as the current Data Protection Act. Not many things are going to change, but it still helps to know what is changing. Even so, most companies that already abide by the old legislation are likely already complying with the new one. Of course, it never helps to hire a data protection officer to ensure complete compliance and have the right people ready when they are needed. Betipy have created the below infographic titled “55 Things You Need To Know About GDPR”, and offers business owners and members of the public a detailed look at the main points.