For those of you with a keen eye or a particular attention to detail, you may have noticed privacy policy changes over the last few months on many popular websites. This is all part of the preparation for the General Data Protection Regulation (GDPR) that goes into effect May 25th, 2018. This affects all companies around the globe that deal with the data from citizen’s in any of the 28 countries in the European Union (EU). From the smallest online retailer to global behemoths, no one is given an exemption from the GDPR. This means many businesses are faced with the choice to comply or stop dealings with EU citizens, which isn’t an option for most.
The GDPR is designed to Protect EU citizens and their data and is a requirement for organizations to do business with them regardless of where they are located. Many of the regulations in the GDPR have been in place in the EU since privacy initiatives such as Privacy Shield and the Data Protection Directive; however, the power for enforcement has increased among some other additions. They include a number of key protections for consumers:
- Worldwide Jurisdiction – the GDPR will be applied regardless of where the information is being collected as long as it is from an EU citizen.
- Tough Penalties – with maximum fines (4% of total global revenues) they are the largest ever considered and could cripple many companies. The EU is making them a true deterrent for non-compliance.
- Tighter Sharing Regulations – the days where a single site could easily share data with dozens of partners for ad targeting are gone. Transparency about who the data is being shared with secondhand and new contracts/user agreements will be needed to meet the new complex standards.
- Explicit Consent – users must grant consent to the company collecting the data rather than needing to opt-out. There are requirements allowing users to have an easy way to remove their data and remove consent as well. Tighter guidelines are also being added for children up to age 16.
- Mandatory Notice of a Breach – companies will have 72 hours to make it public knowledge of any breach that may have allowed any of this user data to be compromised.
- *The ePrivacy Directive – adds additional regulations for electronic communication, which would make consent the only legal way to collect personal data. This is still being ratified by EU and while not a part of GDPR, the European Parliament hopes to implement it at the same time.
The key additions that have put everyone on notice are the penalties and new rules for consent. The unprecedented fines that companies could face if they are found to be not in compliance with the GDPR have caught everyone’s attention. They can reach up to a staggering 4% of total global revenues. To put that in perspective, that’s the equivalent of the EU issuing a fine of $4.4 billion to Google or $1.6 billion to Facebook; and if you think smaller revenues lessen the risk, there is a €20 million ($24 million) minimum for that same violation. The other key addition is changing the way consent for collection is given. The GDPR is shifting the burden from the customer to opt-out of different data collection and tracking methods to the company’s gaining explicit consent or opt-in from the users before tracking or collection begins.
One of the recommended steps for all companies that deal with data and the requirement under GDPR for those that produce large amounts is to hire a Data Protection Officer (DPO). This is a new position for many companies and in those where it is required, it must be additional to the existing data or IT security personnel. This role will be a key player in ensuring compliance and interact with the GDPR supervisory board in any and all inquiries. Estimates from groups like the International Association of Privacy Professionals (IAPP) have estimated that this will create upwards of 75,000 DPO’s worldwide, based on the requirements from the GDPR, with more potentially opting to hire the position although not legally required to do so.
How this regulation will change the digital data landscape is still being determined. While the guidelines and regulations are known, how and how often they are enforced is still uncertain. The difficulty in following the regulations and the number of violations resulting in penalty will determine what we see in the coming years. While the increase in data security seems certain to be accomplished the ways that GDPR will shape the internet in the coming years remains to be seen.