The European Union’s GDPR (General Data Protection Regulation), Europe’s new framework for data protection laws, will come into effect on May 25th, signalling the most significant shake-up to data privacy in over two decades. It will affect not only organizations that have companies located in the European Union, but also any organization that has operations and customers within the European Union.
Recent high profile data breaches, most notoriously that of political consultancy Cambridge Analytica harvesting customer data from Facebook without their consent, have thrust the issue into the headlines. The public is becoming increasingly aware that their personal data is not just valuable to them, but is also valuable to marketing companies, analysts and people working in the black market.
Meanwhile, government regulation generally hasn’t kept up with the pace of technological change, and the threats it can pose to people’s privacy when our personal details are stored in the organizational systems of stores, hospitals, banks and so on.
According to Anya Proops, QC, a specialist in data protection, “the new law seeks to put power back in the hands of individuals by forcing those who process our data to be both more transparent about their processing activities and responsive to demands for privacy-invasive processing to be curtailed.” The key principle behind GDPR is to give consumers across the 28-nation EU bloc control of their data, and make it cheaper and easier to find out what information any company or organization possesses on you.
The new GDPR rules include strengthening the definition of consent in terms of data handover, making it harder for companies to use vague or confusing terms and conditions to get individuals to easily agree to give them data. Organizations will no longer be able to bundle consent terms together either, and consent must be easy to withdraw. For minors under 16, a person holding “parental responsibility” must opt-in on their behalf to collection of data.
It will also become mandatory for companies to report data breaches to the European Union information commissioner as opposed to solely “good practice”. Organizations will need to review their systems and internal processes, particularly focusing on technical security and using data minimization techniques, such as pseudonymization, a method that protects consumer’s privacy by replacing certain identifiers with fictitious entries. Encryption on mobile devices and memory sticks will be a necessity. Organizations that handle large amounts of GDPR data will be required to assign a data protection officer (DPO).
For companies preparing to be GDPR-compliant, the number of rules can be confusing; and there are serious fines of up to 4% of total global turnover or 20 million euros, whichever is higher, if the GDPR rules are breached. However, most big organizations have been preparing for GDPR for the last two years; and many big technology firms have already spoken about their preparation. Facebook just released new privacy tools that will help it comply with GDPR, and make it more straightforward for users to see and access the data held on them by the company.