We already published an article explaining the European development of data protection. This week we want to explain key points about EU General Data Protection Regulation.
Data protection laws are essential for protecting human rights — most obviously, the right to privacy, but also many related freedoms that depend on our ability to make choices about how and with whom we share information about ourselves. The European Union General Data Protection Regulation (GDPR) is one of the strongest and most comprehensive attempts globally to regulate the collection and use of personal data by both governments and the private sector. It was enacted in 2016 by the European Union, and went into effect May 25, 2018, across the EU’s 28 Member States. If robustly implemented and enforced, it will bolster privacy protections in Europe and potentially far beyond.
The EU GDPR is a new set of rules that aims to strengthen protections for personal data and to ensure consistency of such protections across the EU. The law replaces 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU. GDPR will significantly strengthen a number of rights: individuals will find themselves with more power to demand companies reveal or delete the personal data they hold; regulators will be able to work in concert across the EU for the first time, rather than having to launch separate actions in each jurisdiction; and their enforcement actions will have real teeth, with the maximum fine now reaching the higher of €20m (£17.5m) or 4% of the company’s global turnover.
GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing;
- Anonymizing collected data to protect privacy;
- Providing data breach notifications;
- Safely handling the transfer of data across borders;
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance.
Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data. The regulation applies to a broad array of personal data, including a person’s name and government ID numbers. It also protects information that can show a person’s activity both online and in the real world. That includes location information, as well as IP addresses, cookies and other data that lets companies track users as they browse the internet.
Each member state of the EU will have its own enforcement mechanism, with one GDPR supervisor per country.
Residents can make complaints to the governing body in their respective country. Companies found in violation of the law will face fines that could be very steep. The maximum fine for a GDPR violation is 20 million euros or 4 percent of a company’s annual global revenue from the year before, whichever is higher.
Companies are encouraged to build privacy-protecting mechanisms into their systems — a concept known as privacy by design. Under the regulations, those who process data must carry out technical and organizational security measures designed to protect the data from abuse, loss or misuse — for example, by minimizing the data they collect, and considering the use of pseudonyms and encryption. Where the risk to people’s rights seems high, and particularly where the technology is new, companies are required to conduct data protection impact assessments before processing data.
The GDPR requires companies that have lost control over customer data, or that’ve been hacked, to notify users within 72 hours. That’s one of the rules that carries the maximum penalty. For instance, if Facebook was found to have failed to comply, it could be liable for a $1.6 billion penalty (based on its 2016 annual revenue of $40 billion). The world’s largest companies already have updated their sites to comply with GDPR. Facebook launched a range of tools to “put people in more control over their privacy”, by unifying its privacy options and building an “access your information” tool to let users find, download and delete specific data on the site. The company also forced every user to agree to new terms of service, and took the opportunity to nudge them into opting-in to facial recognition technology.
Apple revealed a privacy dashboard of its own — although the company proudly noted that, unlike its competitors, it does not collect much personal data in the first place and so did not need to change much to comply. Google took a different tack, quietly updating its products and privacy policies without drawing attention to the changes.
The General Data Protection Regulation not only applies to businesses in the EU; all businesses marketing services or goods to EU citizens should be preparing to comply with GDPR as well. By complying with GDPR requirements, businesses will benefit from avoiding costly penalties while improving customer data protection and trust.
GDPR works only for a couple of months now, so far it hasn’t impacted our lives. We will have to see whether it will have the real change for data protection. The only advice that we can give you is protect your data yourself and choose IDM for the safest cloud storage around!
