Considered the most important development in data privacy regulation in two decades, the General Data Protection Regulation or GPDR has taken effect on May 25, 2018. The regulation was up for debate for four years before it was approved in 2016, with the enforcement date set this year. This means that organizations who failed to comply within two years may face heavy fines.
The GDPR is a rule passed by the European Union that standardizes data protection laws across all 28 EU countries. It imposes stricter rules on controlling and processing personally identifiable information (PII) and extends the protection of EU residents’ personal data and data protection rights. Moreover, the implementation of these stricter rules can potentially address issues with invasion of privacy and identity theft. The GDPR replaces the 1995 EU Data Protection Directive.
The new rule sets a higher standard in obtaining personal data from the consumer. Usually, when a company acquires personal data from an EU consumer, it needs informed and clear consent from the user. Consumers must also be able to revoke that consent and request for the data the company has from them in order to authenticate the consent. GDPR has stricter and stronger rules for collecting and sharing data, which also means that they will be required to revise how ads are targeted online. In storing and processing data, GDPR may also require the use of encryption, data backups, passwords, and malware protection.
Moreover, the penalties set for violations are higher. The maximum fines for violations are currently set at 4% of the company’s global revenue or $20 million, whichever is higher. This will clearly motivate companies to comply and revise their policies on data collecting and sharing.
Consumers have taken advantage of the “free” services from Google, Facebook, and Twitter among others in exchange of giving away personal information such as email addresses, sexual orientation, and political leanings. However, users find it hard to understand what exactly they are consenting to give these tech companies when they agree on the confusing and elaborate terms and conditions. One perfect scenario that would justify the need for stricter regulations on consumer data collection is Facebook’s Cambridge Analytica scandal. Political data firm Cambridge Analytica allegedly acquired the data of 50 million Facebook users and sold the data to US politicians vying for election in 2016, in order to influence their votes.
In the US, a data privacy protection for sensitive patient data has been in place. It is called the Health Insurance Portability and Accountability Act or HIPAA. Similarly, the HIPAA Privacy Rule oversees accessing, saving, and sharing of medical and personal information of any individual.
Earlier this year, big tech companies have taken steps in compliance to the GDPR. Google, for example, has started letting users choose which data they want to share with Gmail and Google Docs, among its other products. Facebook has started complying, as well, by rolling out a single page called the global privacy center that would let users organize who sees their posts and what types of ads they see. Amazon also began enhancing their data encryption on its cloud storage and made their terms of agreement simpler.
As the GDPR is a mandate given to countries of the European Union, it only applies to EU countries, technically speaking. However, with the global nature of the Internet, this means that every online channel and service is affected by the new rule; and therefore US consumers will be greatly affected as the big tech companies start to adapt.