In the last couple of weeks, you might have been pounded with “GDPR” emails. While ordinary citizens find it too time-consuming to go into the details and find out what it means for them, businesses themselves are struggling as well to understand what it means for them.
But this isn’t surprising as the European Union’s General Data Protection Regulation (GDPR), arguably the most complex piece of regulation that EU ever produced came into effect yesterday May 25.
So what is GDPR?
The GDPR is Europe's new framework for data protection laws that replace the previous 1995 data protection directive, which was also the UK law till 23 May 2018.
According to EU's GDPR website, the tough new legislation is aiming to "harmonize" data privacy laws across Europe as well supposedly giving greater protection and rights to individuals. The legislation runs into 88 pages and includes 99 articles. From yesterday, the new mutually agreed GDPR will update personal data rules.
So what does GDPR govern?
In principle, GDPR is supposed to bring outdated personal data laws across the EU up to speed with an increasingly digital era. The previous data protection laws were put in place during the 1990s and haven't been able to keep pace with the technological change that has occurred at an exponential rate.
GDPR essentially regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU. The rules, however, don’t apply to data processed by an individual for purely personal reasons and don’t apply to the processing of personal data of deceased persons or of legal entities as well.
Under the new GDPR rules, ‘Data protection’ is seen as a fundamental right. Likewise, according to the Act, this is in “balance with other fundamental rights.” The new set of rules aim to ensure a “high level of data protection” as well.
When data protection authorities start enforcing GDPR, it will alter how businesses and public sector organizations can handle the information of their customers.
Image credit: eugdpr.org (modified)
Nonetheless, when data protection authorities start enforcing GDPR, it will alter how businesses and public sector organizations can handle the information of their customers. This explains why the email inboxes across the world were flooded with notifications about updates to privacy policies for companies who were all trying to comply with the strict regulations.
GDPR will give EU citizens more control over their data, but it has implications beyond the European Union as well. GDPR is also the reason why nearly all players from Google to Facebook have updated their privacy policies and alerted users about the same.
Data protection by design
One of the key principles of GDPR is that it calls for 'data protection by design.' According to Article 25, the controller needs to "implement appropriate technical and organizational measures, such as pseudonymization, while ensuring that only personal data is collected which is needed and is not made accessible to other persons without the user's explicit permission.
The consequence of Data Breaches
When it comes to data breaches, GDPR says that companies will need to inform regulators within 72 hours. Failure to do this could attract steep fines of up to €20m ($25m) or 4% of global annual sales, whichever is greater. Many businesses fear they will fold if hit by fines.
Mixed opinion about GDPR
While the regulation is prescriptive about what organizations have to do to comply, critics say the new rules are unwarranted and overly burdensome, especially for small businesses that are furious about the burden of complying with the law. Likewise, some argue that the GDPR will hinder innovation in Europe as some businesses will shy away from the entire process of asking people again whether they can use their information. Jason Bier of Engine Media Group believes that while "GDPR does have good intentions, however, some of the law itself really breaks the internet," he observes.
Conversely, many privacy advocates have hailed the new law as a model for personal data protection in the internet era and called on other countries to follow the European model.
Brexit impact
As the United Kingdom is quitting the EU in 2019, a new Data Protection Act, put forward by the UK government in August last year, received Royal Assent on 23 May 2018. This, therefore, replaces the previous Data Protection Act 1998 and by and large contains similar regulations and protections in order to reflect GDPR and ensure the data-flows between the areas continue uninterrupted. The full text can be found here.
The general consensus is that no one is really ready for GDPR - neither the companies nor the regulators. A government study conducted earlier this year, showed only 38 percent of British firms were aware of GDPR, let alone ready to comply.
Meanwhile, according to Reuters, Facebook has decided to play it safe and put 1.5 billion users out of reach of new EU privacy law. The social media giant apparently transferred around 70 percent of its user's data from Dublin to the United States. GDPR critics argue that this is just the beginning and many other businesses will follow suit.
More information?
If you are looking out for more information on GDPR, here's where you can access the full regulation. The ICO's guide to GDPR can be accessed here.
0 Comments