It’s been hard to ignore the avalanche of emails from just about everyone lately on your phone or in your email inbox about GDPR, each of them uncannily similar. From Facebook and Google to Twitter and Amazon, companies around the world are suddenly updating their policies to give you more control over your personal data.
Everyone’s doing it, and seeing hundreds of emails about the exact same thing may have got you scratching your head: Why now? What’s the sudden big deal? It’s all down to the European Union’s new General Data Protection Regulation (GDPR), a new trans-European law that governs the data privacy of all 516m European Union citizens.
GDPR may only apply to EU citizens – but with Facebook lumbering from crisis to crisis, many Americans are already starting to ask why they don’t have similar legislation.
I’m Not In Europe – Why Should I Care About GDPR?
While GDPR applies to people who live in the EU, its implementation is set to be global. After all, plenty of Europeans use US websites and services, which means that when GDPR goes live on May 25, a lot of non-European websites will find themselves facing a reality of having to be compliant with GDPR if they have customers and clients in the EU. Although this is a pan-European law, its enforcement is set to be global thanks to the support of governments around the world – and that includes the US government.
Is GDPR Introducing a Better Future?
There’s a lot of debate around whether GDPR is a good thing or a bad thing. It certainly makes life a bit more difficult for businesses, but it also provides consumers with extra protection that they didn’t enjoy before.
For example, when you sign up for a website like Facebook, you have to sign their terms of service – which includes accepting its data collection policies. For Facebook, that includes letting third parties access your online activities across the internet, which most people don’t like.
With GDPR, that’s going to change for EU citizens. Rather than bury dubious data collection policies in documents that few will read, companies now have to explicitly seek out the “unambiguous” consent of their users to collect their data.
Putting Personal Data Back In The Hands Of the People
One of GDPR’s most significant rules is that consumers will be able to revoke their consent more easily than before. Not only do they have the right to request a free copy of their data and information on how it is used; they also have something called “the right to be forgotten.”
Simply put, this means that EU citizens have a legal right to ask an organization to delete their data and that organizations must comply with this desire. This rule in itself necessitates meticulous and safe data protection – something which not all companies have been careful with in the past.
It would be easy to ignore this, except for the twin threat of data breaches and the steep fines imposed on companies for non-compliance.
Draconian Fines For Non-Compliance
Data breaches are proving to be one of the 21st century’s big issues. At least once a year, there’s a scandal where millions of email addresses and other sensitive data get hacked. This is a huge problem, and many times it simply comes down to poor security measures and the reluctance of the companies to tell the world that there’s been a bit of a boo-boo.
Under GDPR, firms who suffer a data breach are required to notify the authorities and consumers within 72 hours. If they do not comply, then the fines will be costly. At 4% of an organization’s annual turnover or up to €20m per failure, the hefty fines are certainly giving many businesses pause for thought. Google alone could be fined more than $4bn if they fail to comply!
The EU expects business to act within the spirit of this law, rather than follow it to the letter. This softer approach combined with fines shows that there is understanding that this law is a radical change and that nobody is expecting a smooth path to a new general consensus, so for small business, simply being able to demonstrate good faith and an ongoing concern for their customer’s data privacy should keep the eye-watering fines at bay.
GDPR is a hugely complex legal document – it’s no surprise a legal cottage industry has sprung up overnight to help businesses navigate it – that has a lot of major implications for the future of consumer data.
In the wake of the Facebook and Cambridge Analytica scandals, it’s not surprising that the EU is moving ahead with tough new rules to help make the balance of power a little bit more equal. Whether your business is based in Europe or elsewhere, following the spirit of GDPR and demonstrating ongoing compliance is a good idea: the alternative is to shut off a 516m-strong marketplace. It’s also worth considering that the United States may also introduce such laws – which means that you could get a head-start on being prepared should such an event happens.
In any case, with data privacy and protection becoming a hot issue, it’s good business sense just to demonstrate to your visitors that you are serious about their right to data privacy.