What is General Data Protection Regulation(GDPR) and how does it affects you.
Better privacy for Europeans
The European Commission is one of the most vigilant in the world for consumer protection.
Recently, you might have got a lot of emails from companies like Microsoft, Spotify, etc. about changes in their privacy policies.
This is because of a new regulation passed by EU Commission which has gone into effect on May 25th, 2018.
The EU GDPR is a new rule in the EU that rewrites how companies share data on internet. You might not be fully ready for this new regulation, and might wonder how does this affect you. But a lot of things have changed in backend of the services that you use everyday.
Let’s have a quick look at what GDPR is and how it affected the technology industry.
What exactly is GDPR?
This new piece of legislation was unveiled in 2012 and it’s intended to replace the EU Data Protection Directive which has been in place since 1995. The GDPR not only applies to all EU member states but also many more countries around the world.
One of the fundamental change this new regulation will make is that companies who collect users data (apps/websites) will be required to reveal more information to users.
Some highlights the EU Data Protection Regulation
- The personal data must be processed in a fair way. It should be collected for specific purposes only.
- All collected personal data must be accurate and kept up to date.
- The companies must tell users who will receive their collected personal data.
- The user must be identified only for as long as necessary unless collected data is kept for historical, statistical or scientific research purposes.
- The data controller (the business that collects the data) must ensure its compliance with the GDPR regulation.
- The identity and the contact details of the data controller and of the DPO must be disclosed to users.
- Businesses should tell customers why their personal data is collected and also for how long the data will be stored.
- People must be notified of their right to request access to the data.
- Users have a right to request update or removal of their personal data.
- The supervisory authority can lodge complaints of users.
- The personal data must be sufficient for those stated purposes and no more.
- The contact details of the supervisory authority must be provided.
- The data controller must specify if they intend to transfer the user’s data out of the EU.
- If user’s data is going to be transferred out of the EU, the data controller must specify where the data is going and the level of data protection that country has.
- All other information necessary to guarantee fair processing of user’s data must be provided.
There is not much significant difference in the new GDPR and old EU Data Protection Directive.
But there is a lot more emphasis on disclosing details on how and for how much time customer data will be stored. Also users have right to request access to and update or removal of collected data.
What business need to do to comply with GDPR
Data Protection Officer
Businesses are now required to place a Data Protection Officer to ensure that the regulation is complied within their company.
The DPO’s tenure is between 2 to 5 years and can be reappointed up to maximum 10 years. According to a paper released by EU DPO’s Network:
“The DPO shall be selected on the basis of his or her personal and professional qualities, in particular, his or her expert knowledge of data protection”
Once a DPO has been selected for a company, he should appoint to European Data Protection Supervisor. Some ways the DPO can ensure that GDPR principles are properly followed by the company are:
- Hold regular training sessions with the data controllers and their staff.
- Develop data protection guidelines and policies.
- Attend meetings of senior and middle management to provide updates on compliance within the organization.
- Publish short articles in company newsletters or publications.
- Prepare information booklets or guides for staff.
GDPR Compliance for businesses
The GDPR include penalties for those organizations and businesses who don’t comply with regulation. These penalties are divided in three tiers.
The first tier will be imposed if a business that intentionally or negligently fail to respond to users access requests promptly or charge a fee for handling such requests.They could be fined up to 0.5% of their total worldwide turnover.
The second tier is a fine up to 1% of annual turnover will be imposed for a company that:
- Fail to be transparent with users on their privacy practices or fail to provide users a method to access and review their personal data.
- Don’t succeed to adhere to consumer’s rights on data privacy or fail to provide users a method of updating their personal data.
- Fail to make users’ data portable or ignore users’ objections on their personal data being used for marketing purposes.
The highest tier fine, which is up to 4% of a business’ turnover, would be handed out if the business “intentionally or negligently process[es] personal data without having a legal basis for doing so, break[s] rules on profiling, fail[s] to notify data breaches, or transfer[s] personal data outside of the EU without adequate safeguards”.
Also GDDPR allows consumers to file “class action” lawsuits against data controllers who lose personal data.
Want your business to comply with GDPR.
Most of all, the first thing that will come in your mind is about EU citizens and how you are serving them. If your business serves users globally. then there is a good chance that some of them will be EU citizens.
Impact of GDPR.
As a result of GDPR, some companies began to block EU users entirely including Instapaper or redirecting them to stripped down versions of their services with limited functionality to comply with the regulation in case of USA Today and National Public Radio.
Some companies, such as Klout, ceased operations entirely to coincide with its implementation, citing GDPR as a burden on their continued operations, especially due to the business model of the former.
Also, Max Schrem’s non-profit NYOB immediately sued Facebook along with it’s subsidiaries along with Google LLC for their use of “forced consent”. Furthermore, Schrems asserts that both companies violated Article 7(4) by not presenting opt-ins for data processing consent on an individualized basis.
And requiring users to consent to all data processing activities or not allowing them from using the services.