Have you noticed a sudden influx of terms and privacy policy emails the past few weeks from companies you interact or have interacted with? The reason is because the General Data Protection Regulation (GDPR) compliance deadline is almost here, and companies need to gear up for this game changer in data privacy.
So what exactly is the GDPR? It is a law approved by the European Union back in 2016 regarding how data of EU residents should be used, stored, and protected by companies. Any company that is registered in the EU or has customers in the EU needs to abide by these new set of guidelines. After a two-year transitional period, it will officially go into effect on May 25, 2018.
Here are the key changes GDPR is introducing:
- Consent & Transparency – Consent needs to be “freely given, specific, informed and unambiguous”. This means it must be easy for individuals to give and withdraw their consent at any time, and companies cannot use illegible terms and legalese in their conditions. Companies need to make sure their customers understand exactly how their data is being used.
- Right to Access – Individuals can obtain information on how their personal data is being processed and also request a copy of this data at any time.
- Right to be Forgotten – Individuals have the right to have their personal data deleted at their request.
- Data Portability – Individuals can obtain a copy of their personal data in a common machine-readable format to reuse or transfer to other platforms/services.
- Right to Object – Individuals can object to the processing of personal data for direct marketing, research/statistical purposes, automatic profiling, and processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
- Right to Restrict Processing – Individuals can suppress processing of personal data, but still allow companies to keep storage of this data.
- Right to Rectification – If any personal data is inaccurate, individuals may request that it be corrected before proceeding any further.
- Privacy by Design – This states that companies need to design and build systems with data protection and privacy as a priority at every stage of its development.
- Data Protection Officers (DPO) – A mandatory role that companies need to appoint if they are involved in large-scale systematic monitoring or processing of sensitive personal data.
- Breach Notification – Companies are required to notify authorities and any affected parties of a personal data breach within 72 hours.
Companies have a lot to do to be compliant with all these changes, but it is important that they do so. Violators will be fined 20 million euros or 4% of their global annual revenue (whichever is higher), and that is not a small price to pay.
Happening on the heels of the Facebook and Cambridge Analytica scandal, this reform can be considered a necessity as many have become increasingly concerned over how their personal data is being handled. However, will this new law actually help individuals regain a sense of security or will it just bring on a new onslaught of problems from possible loopholes? Only time will tell.