What is GDPR and why do people keep emailing me about it?
The good news? You shouldn’t get any more emails. The better news — it’s fantastic for data privacy
You may have seen more than a few emails in your inbox over the past few weeks about something called GDPR…
And it’s probably a little confusing, right? What are you supposed to do with these emails? Why are they coming in? And why are all of them so weirdly obsessed with getting you to click a button?
What is GDPR?
The “General Data Protection Regulation” (GDPR) is a series of rules created by the European Union that govern privacy and data use for citizens living in the EU. The rules primary affect how companies and services can use, collect, and share data that you provide to them.
We’ll go into more detail about each of these, but here’s a quick overview of the rules.
- When building new businesses or processes, companies must utilize privacy by design principles
- Users must have the highest privacy settings on by default
- User consent must be given prior to data processing, and this consent must be easy to withdraw
- Processors must show what, how, and why data is being collected, as well as who it is being shared with
- Users must have access to a portable copy of their data
- Data breaches must be reported in 72 hours
The reason you’re getting all those emails is primarily because of the “opt-in” regulations. Starting today, May 25, 2018, companies must have EU residents’ permission to collect their data and use their information. And if they don’t comply, penalties can be stiff — up to 20 million Euros or 4% of global net turnover.
Turns out some companies, by the way, couldn’t get their acts together fast enough. As of the 25th, Tronc, a US-based media conglomerate, was IP-blocking all EU users as their sites were not compliant with EU regulations. Better than a €20 million fine…
What’s in the regulations?
Let’s go item-by-item and get into a little bit more depth:
When building new businesses or processes, companies must utilize privacy by design principles
This is an easy one, and really something that most consumers will never see. It is why, however, many companies and businesses have been running around with their hair on fire trying to become compliant. Article 25 of the GDPR states that processes must be built to have “data protection by design and by default”. Essentially, data protection can’t be a paper wall that businesses throw up later — it has to be a proper, designed, system.
On a deeper level, this means that your data now must be stored with either pseudonymization or full anonymization. In essence, this strips the personally identifying component out of personally identifying information. When companies store your data now, it must either be encrypted, or totally obscured.
Users must have the highest privacy settings on by default
This one’s fairly self-explanatory, but we’ll highlight it with a specific example. Essentially now, instead of having to immediately wander over to your Account Settings page when you set up a new account with something to prevent a company from displaying or otherwise using your information, companies now have to do that by default.
User consent must be given prior to data processing, and this consent must be easy to withdraw
This is the reason you’re getting so many emails! Basically companies cannot process your data without consent, so that’s why everyone’s asking for your renewed consent, right?
Well, turns out that most of these emails are totally unnecessary. In many cases, users had already consented when signing up for companies to use that data. GDPR doesn’t replace that consent, it merely codifies it as necessary for companies moving on. The result? Like 80% of those emails are totally unnecessary.
Oh and by the way, some of them may even be illegal…
Processors must show what, how, and why data is being collected, as well as who it is being shared with
You’ve already started to see versions of this over the past few months, but this is one that we’re excited about. If you recall, Facebook recently announced that you could download all of your data to audit and review what you’ve given them.
This is similar to that. Essentially, users will have the ability to download their data, but also any records of how it has been processed and review it at their leisure. Most importantly, users will then have the right to have some of that data erased in certain circumstances, if they so choose.
This could range from you being able to get a PDF of all of your data, to being able to log-on and erase random bits of information that you wish a service hasn’t gathered about you, within reason, that is.
Data breaches must be reported in 72 hours
Here’s another simple one — if your data gets accessed or stolen in a data breach, the service has to let you and the national supervisory authority know that it happened. No more of this:
So in the end, GDPR is significantly less confusing or overwhelming than the constant emails would have you think. We also all come out a lot better for it as consumers, as most companies are choosing to extend the same privacy protections that they are now mandated to provide EU citizens to their entire customer base. Certainly worth a few emails, huh?
This article was produced by Humanlytics. Looking for more content just like this? Check us out on Twitter and Medium, and join our Analytics for Humans Facebook community to discuss more ideas and topics like this!
