What Is GDPR and Why Should You Care As An American?
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation of European Union (EU) governing consumers’ private information which was adopted by European Parliament in April 2016 and came into action on 25th May 2018. How the firms approach data protection and how responsive their security teams were in the past has changed after the induction of GDPR. With GDPR, we now have stronger laws and obligations for personal data, privacy and consent.
What does GDPR do?
Explicit consent has to be taken from users by companies falling under the GDPR Act to collect and use their personal data. This means that citizens of EU can now reject the complicated ‘Terms & Conditions’ that was mandatory while signing up for any new software or any purchase of a product or a service. Consumers now have every right to refuse or stop companies from using their personal data for direct marketing or to even buy or sell their data from or to other businesses for further use. It is also now mandatory to take parental approval while collecting data from children below the age of 16.
What types of data are we talking about?
Anything the EU has determined to be ‘personal data’, that it is sensitive and can be linked directly to the person, falls under this protection act. Personal data is defined under Article 4 of GDPR and it includes name, address, phone number, IP address and cookies, racial identity, biometric data, health and genetic data, sexual orientation and gender preference, religious affiliation, credit card numbers, travel records and web search. After the introduction of GDPR, it is now in the rights of an EU citizen to know what data is being collected and processed about them. News articles, legal actions or public records don’t fall under the category of personal data.
Who must comply with this regulation?
Any entity that is storing, collecting or processing the personal data of EU citizens, whether based out of EU or not, must comply with GDPR. Required criteria for companies in obligation with GDPR are:
- Having a presence in an EU member country
- Having no presence in the EU, however, the company processes personal data of European residents
- The company has more than 250 employees
- Fewer than 250 employees, however, the company deals with sensitive data that impacts the rights of any resident of EU.
These companies have to also appoint a Data Protection Officer who will be responsible for making sure the company complies with the guidelines of GDPR through employee training and compliance audits. In case of any data breach, the authorities need to be notified within 72 hours and even the customers need to be informed in a timely manner if the breach constitutes any kind of risk to them.
According to a recent PwC Survey, GDPR is considered as a top data protection priority by 92% of the U.S. companies.
Penalty for non-compliance
Penalties for non-compliance or violation of GDPR conditions can be as low as $12.4 million or 2% of annual global revenue, whichever is higher and goes up to $24.8 million or 4% of annual global revenue, whichever is higher. EU privacy regulators were toothless for so long; GDPR now gives them the tool to keep powerful corporates in check. To illustrate how GDPR would levy penalties, let’s take an example of an already occurred breach – from 2013-2014, 3 billion user accounts were breached at Yahoo and they hadn’t informed their users until October of 2017. With a revenue of $4 billion in 2012, the fine levied on Yahoo for such an occurrence would have been nearly $80 million, and might have just gone up to $160 million!
Change in consumer’s life
After the introduction of the regulation, consumers now have more control over their data that is being collected about them and for what purpose. The data also needs to be destroyed after its purpose is served or it’s no longer needed for the very task it had been collected for. To get information on their data, customers can contact the data controller whose information should have been provided at the time of collection. As consumers now own their personal data, they can use it to trade with companies for any kind of discount or coupons like a gift voucher from Amazon in trade of a customer’s wish list on Walmart.
Consumers to remove data
Companies must erase personal data of consumers when it is no longer needed for the original task or if asked by an individual. This right to a citizen is known as ‘Right to be forgotten’. Data that has been obtained illegally or used for direct marketing is also subjected to removal under this right and companies must accede to the demand of users. Some personal data can be maintained by an organization for a certain period of time, such as HIPAA complaint health records, however, companies must obey an EU citizens’ right to erase their personal data, if he or she wishes to do so.
After an introduction of GDPR, companies are now more considerate towards user’s personal data and have begun to lay more emphasis on their security measures to prevent any future breaches. Within hours of GDPR coming into action, industry giants like Google and Facebook were hit with privacy complaints. Data protection laws have challenged us to think of personal data differently than PII (Personally identifiable information).
GDPR is a drastic step towards data transparency that gives an individual the right to know how, where and for what purpose their personal data is being collected, used or processed. With this powerful act, the individuals now have the right to have their personal data erased or not disseminated further, including potentially halting third parties from processing the data. The scope of the act extends to all MNCs and multinational American companies that collect and process personal data of E.U. citizens.
“I think everyone in the world deserves good privacy protection,” says Mark Zuckerberg of Facebook. He added that it’s worth discussing whether something similar to GDPR should indeed be applied in the U.S.