Forget The Royal Wedding — Get Ready To Walk Down The Aisle With The GDPR
While some of us were watching the royal wedding and eating cake, others have been working hard to implement the General Data Protection Regulation (GDPR) and counting down the days until it goes into effect.
It’s the first of its kind in terms of data protection, and it’s affecting businesses and individuals around the globe. Failure to comply will mean companies coughing up major fines, and yet implementing its rules is costing some organizations billions of dollars. Whether ready for it or not, it is essential for any business owner to be fully aware of the detailed laws that the GDPR lays out.
It might not be wearing a white dress and tiara (or be as cute as Prince Harry), but this sturdy new law is coming decked out with numerous detailed stipulations…and if you fall under its requirements, then get ready to walk down the aisle with it.
What are the basics of the GDPR, and how might its stipulations pertain to you — whether as a business owner or an online consumer?
GDPR Guidelines — The Basic Why’s And What’s
After many years in the making, the GDPR has finally been passed into law (effective on the 25th of May), ensuring that all EU member states maintain data regulation in the same way and hold to the same standards. Starting in 1995 as a data protection directive, it was proposed as a regulation in 2012 and finally adopted by the Council of the European Union and European Parliament in 2016.
Why was the GDPR created in the first place?
It’s pretty simple. The EU wanted a way to collectively regulate how businesses and organizations use data. After recent breaches like the Cambridge Analytica Scandal, we have seen the lack as not all organizations are being held to one uniform set of rules, and of the immensely widespread damage that this can cause.
Once the regulations become fully enforceable throughout the European Union, a lot of EU individuals will be breathing easier. At the same time, businesses around the globe will most likely be feeling the stress of needing to adjust their company’s behavior in a way that fully complies with the new laws.
There are some general changes that we can expect (and no, this isn’t about limited edition “Harry & Megs” t-shirts).
For EU citizens, it means data protection laws have been dramatically strengthened and will be identical in every country, and the organizations who use their data will be much more accountable as to how they use the collected data. Essentially, it means individuals will finally have more protection and control over their data rights.
For businesses, it means that the way user data is acquired and handled will need to be closely assessed and brought to strict compliance with the GDPR. This not only applies to EU businesses, but to any business around the globe that targets EU citizens as potential consumers and acquires or processes any personal data from them.
And you might be wondering: what are the consequences of failing to comply with the GDPR?
Well for one, any business found cheating the rules could potentially be charged a penalty of up to $23 million or 4% of the company’s global annual turnover — which, needless to say, would be detrimental to any organization.
And secondly, there is the reputational damage of failing to take the necessary steps for GDPR compliance and getting caught — customers won’t trust that their data privacy is being taken seriously.
So this new data privacy change is not something to be taken lightly. With severe consequences and more power placed into the consumer’s hand, there is a lot being placed on the line.
Key Data Protection Requirements And How They Affect Your Business
If your company, on any level, acquires and processes personal data from EU subjects, then you’re probably already working hard to make sure that your business complies with the GDPR.
There is a lot that the regulation entails, but here are eight key data protection requirements that your company must meet in order to be in compliance:
…grants all EU citizens the right of access, which means all companies must provide details on what personal data is being used and how it is being used if an individual requests it.
…grants citizens the right to be forgotten, which means all companies must delete an individual’s personal data upon request.
…grants the right to data portability. This means individuals can request companies to transfer their personal data to another company.
ARTICLES 25 & 32
…states that organizations must take appropriate measures to protect EU individuals’ personal data and that these measures must meet GDPR guidelines.
…requires companies to report any personal data breach to the supervisory authority within 72 hours.
…requires companies to notify all data subjects if a breach occurs that is likely to result in a high risk to the subject’s rights and freedoms.
…requires companies to perform data protection impact assessments before processing data (making sure that all data processing complies with these six principles), in order to seek out potential risks and address those issues.
Additionally, companies should also be aware of Article 37, which requires certain companies to have data protection officers (DPO) that will oversee GDPR compliance.
A Positive Trend Or Too Restrictive?
No doubt, individuals in the EU are eagerly anticipating the official date for the GDPR as it is a gateway to a new and empowering age of personal data privacy. Even for citizens outside of the EU who aren’t directly affected by the new law (unless you’re a business owner), it raises hopes for a potential future where data privacy laws are clear and effective.
Is this a positive step in the right direction? Or is it too early to tell whether the effects of such a strict law will be helpful rather than harmful?
Before the new law goes into effect, businesses around the globe are working hard to comply with the GDPR, and it’s adding up to billions of dollars. There is no wiggle room for companies and their compliance with the law, and they have to spend the money necessary to audit and classify every bit of data that they hold. Not only that, but some companies need to hire a data protection officer…and we don’t even want to get into the possible future needs for lawyers when things get messy (although some companies are already lawyering up for help with wading through the legalities of the regulation).
Countless hours and dollars are being spent on training staff, applying systems, auditing consumer and employee information, hiring more staff, and generally prepping for that GDPR green light.
Countless hours, billions of dollars…is this, perhaps, the price that must be paid for privacy?
The HIPAA Journal lays it out as a necessary cost for a “harmonious approach to processing data,” and Facebook is issuing updates and asking their users to make choices about their data as they wrangle their policy into shape.
For some businesses however, GDPR compliance is forcing them to choose between continuing service to EU citizens or discontinuing service to them. Because if the percentage of their revenue from EU customers isn’t large enough, then it’s a lot easier to cut ties with that branch of service than to invest huge amounts of money into the auditing and processing that would be required under the GDPR.
For smaller businesses whose EU revenue is only a small percentage, this is a manageable tie to cut.
But for major corporations, this isn’t a route they can take.
How many companies will choose to stop selling to EU citizens in lieu of making huge GDPR changes? And what sort of chain of events will this new regulation set off as major data-handling companies tighten their data privacy rules and become GDPR compliant?
With this new regulation going into effect there will undoubtedly be some tweaks and adjustments as issues arise, and who knows — maybe by 2019 the small businesses who chose to end EU services will revisit a more ironed-out GDPR.
So far 2018 has seen us down one bachelor prince and up one major data privacy change. We’ve already seen how crazy the world went over the former’s new marital ties, and we’ll just have to wait and see how the latter fairs.
Getting To Know The World’s New Friend
Hopefully if you’re an EU citizen or a business dealing with EU citizens’ data, you’re well informed and very familiar with the GDPR.
But if you’re just now learning about it, there are plenty of resources available to educate yourself about each of the regulation’s articles, its history, and the major changes that it’s bringing forth.
As you acquaint yourself with the world’s new and complicated friend, the GDPR, some questions you can ask are: do its regulations pertain to you or your business? Are there changes your company needs to make in its data processing? Are you fully educated on your responsibilities as a company, as well as your rights as an individual? Is Meghan pregnant? (Wait, hang on, wrong topic…)
Liked what you just read?
Do you share our vision of making life easier for people WITHOUT compromising their privacy?
➞ Click the 👏 below to CLAP for this piece.
➞ SHARE our story with people you think will benefit from it.
We’re working hard to bring you great content. If you have something you want us to write about, let us know in the comments below!
Written by: Rebecca Nanako Juchems