On May 25, 2018, the General Data Protection Regulation (GDPR) came into force. The stringent regulations enacted by the European Union have caught almost 60 percent of companies unprepared compelling them to invest huge amounts just to comply with the new rules and avoid steep penalties.
What is GDPR?
The GDPR is a legislation drafted and enacted by the European Union. It guarantees the data rights of all EU citizens and seeks to unify the data protection laws throughout its member states. Although it originally aimed to regulate how major tech giants collect, process and use data of EU citizens, GDPR has overhauled the data privacy rules of the Internet affecting not only tech giants but also smaller organizations.
Tech specialists explain that the most notable effect of GDPR is that it increases the fines that organizations may face due to misuse of data; hence forcing organizations to ensure utmost data protection. The unified regulations also ensure transparency by making it easier for users to know what information organizations have about them, how this information is used, as well as the ability to decline unnecessary collection of personal details.
Why was GDPR enacted?
Since the birth of the internet, personal data privacy rules have not yet undergone a major update and expansion. GDPR is intended to update and unify fragmented rules in different EU member states.
This legislation also seeks to protect digital users against data misuse and other cyber threats. It also aims to combat cyber criminals, especially that the Center of Strategic International Studies (CSIS) has noted that over 600 billion dollars have been lost in 2017 due to cybercrime.
Which companies are required to comply with GDPR?
All organizations that collect, store or process personal data from, or communicate with EU citizens are required to comply with these stringent regulations. Through this legislation, organizations are expected to be more transparent, reliable and responsible for the information they have.
How does it affect citizens or consumers?
The GDPR empowers every EU citizen to know what personal information an organization has in store about them and how this information is being used. It requires organizations to provide consumers the information in an understandable and clear way. Prior to its enactment, consumers were left blank about how data is collected, stored, shared, analyzed and used.
Many organizations have started doing so by sending out emails to users about how their personal data is used. It also provides them with an option to unsubscribe if they do not give their consent. Although users can expect to receive emails asking them to give consent to their inclusion in the database, you have to be careful so as to avoid criminals and scammers sending out emails that are made to appear as GDPR messages. These crooks have found this a perfect time to send out phishing emails to get details about consumers without them being aware of it.
A hallmark of GDPR is that it requires organizations to inform appropriate national bodies in case of any data breach. An advisory would help EU citizens take proper measures to avoid unnecessary use of their personal data.
What types of information do organizations collect?
Personal data collected usually includes the user’s name, phone number, home address, email address, occupation, etc. This data is used mainly for digital marketing purposes. Under GDPR, organizations must remove all this data in case the user withdraws consent or opts-out of the database listing. Email addresses are the most essential information for companies because it is where they can reach out to both existing and prospective consumers.
Can an organization use data it already has in its database?
Under the new rules, companies must seek the consent of owners during the data collection. The back-up files for this data should also adhere to the rules of the GDPR. This is intended to protect the offsite personal data in case of any cyber attack or data breach. Usually, companies will have several back-ups of these databases. At present, there is no way of completely deleting stored personal details in the backup. Organizations are allowed to store the data on the backup even if the user has opted out.
How can an organization comply with the new regulations?
In order to be GDPR-compliant, an organization having custody of the data must be responsible and be able to show full compliance with the data protection rules. A designated Data Protection Officer (DPO) must regularly run tests to ensure that the data protection reporting and backup &recovery systems are in place. The organization should have efficient tools that can help quickly identify data and remove it from the database.
Does GDPR prevent data breaches?
Although GDPR cannot completely eradicate cyberthreats, it can help significantly curb its incidence. The enforcement of these strict rules ensures that relevant authorities will be notified immediately (within 72 hours) in case of an actual data breach. While there is still the risk of data being compromised, quick resolution and action by the company and authorities can minimize the harm done on the leaked data.
What if an organization failed or doesn’t comply with GDPR?
Non-compliance with GDPR is something no company would ever want as it would entail hefty fines. Under GDPR, erring companies may be fined up to 4 percent of annual global sales. For tech giants, this fine could be in the billions mark. Meanwhile, smaller companies may be fined up to €20 million.
Here’s a real-world example: on the first day of enforcement of the new data protection rules, Google and Facebook have been slapped with GDPR violation lawsuit amounting to a collective $8.8 billion. The lawsuit stems from the vague option for consent for privacy policies that is directly against the GDPR.
Future of GDPR and the Internet
At present, not all companies meet the new GDPR requirements. Some websites have decided to put down their services entirely instead of being slapped with penalties. In fact, there are several US-based newspapers and web services that are still blocked or have suspended their operations in the EU. Meanwhile, many companies have spent between $1 and $10 million to make their web portals GDPR-compliant. Furthermore, as companies continue to understand GDPR, they should look for the appropriate course of action to be able to adopt these new regulations in their web services.
From the perspective of consumers, GDPR has ushered in a new era for data protection. The stringent controls that GDPR has put in place should give you more confidence whenever you access the Internet. Hopefully, it will finally address the alarming data breaches and cyber threats that confront consumers.