The 25th of May 2018 may just seem like any ordinary day but for the EU and Europe as a whole, it is quite significant as the general data protection regulation (GDPR) will come into force. This date is sure keeping up some corporate executives up at night and for those sleeping soundly, they might have already had preparations in store for the big day.
This European Union decision out of Brussels is no ordinary directive, where individual countries may decide how its requirements are managed into their own laws. The general data protection regulation is a regulation, meaning that it will become law in all countries simultaneously. This is why corporate executives are up at night.
The Purpose of the General Data Protection Regulation
The purpose of this law is to strengthen and rationalize data security for every single person residing in the EU. This also covers the transfer of data outside the EU from within itself. The regulations seeks to give back the control and authority of personal data to the individuals who own it and to make it easier for the regulatory environment for international business by bringing it together under an umbrella. Companies will not have to deal with different laws in different countries to continue business, under one law, they will be able to conduct operations much smoother and effectively.
Why Was it Needed?
The law comes as a response to the use, abuse and disregard for the individual’s personal data when company after company misused client’s personal data. This malpractice had become the very core of some businesses and companies. The GDPR is a safety jacket to all Europe citizens as all foreign companies will have to process through this law, or at least any company that deals with handling personal user data. Even if the company does not operate from within the EU, if it processes EU data, it will be bound to the law and will be held accountable if it crosses any boundaries the law has set. The penalties for crossing any boundary are severe, even by internet standards: fines can range to €20m and or a 4% of global turnover.
The GDPR applies to both the people who control the data and those who handle it. The controllers who are in charge of how and why data is processed will be under the same obligations as those broadly imposed by the current data protection law. The handlers or processors of the data will be under more scrutinized law as specific legal obligations will require you to maintain records of personal data and the responsibilities that fall under a data processor will have more legal liability if you are responsible for a data breach. Any breach, no matter what size, will have to be reported within 72 hours.
Protecting The People’s Right
The GDPR also goes on to build on the concept of what a user’s personal data really is. For example the regulation stipulates that an online identifier such as the IP address of a device is now considered personal data. Next year wide range of identifiers did not align within the law will be regarded as personal data and how companies collect data from users.
European citizens now enjoy new rights over their personal data as now they have the right to contest and fight a decision that might have been made about them by an algorithm that processes their data. For any use of personal use of personal data, valid consent has to be asked by the user and they have to be shown how the data will be used. For children, consent of their personal data has to be asked for by the parents or guardians and the collectors of personal data have to prove that they have taken valid consent.
Citizens of the EU can also ask for the deletion of the personal data related to them and companies will have to first remove the data and prove that the data has been properly removed.
Who’s Exempted? Who Isn’t?
Companies that keep HR records, customer lists, contact lists and so on will more or less not be effected by the GDPR except for companies that might need more than what is usually required. But companies that have previously operated without the supervision of some data protection law will such as hidden multitudes of data miners, trackers, data auctioneers and ad targets that function under the guise of websites, social media and even Google will have to face severe consequences.
Facebook and Google would probably be okay with the GDPR as they claim to have the consent of their users. But the crowd that will truly be under observation will be the data broking crowd that do not have consent. Targeting and tracking companies will need to ask for consent somehow. Anything that tracks the user on the internet without declaring itself will not have to show itself, declare itself and seek permission from the user for its consent. This changes everything as the very ecosystem of the internet will be in question.
Does The GDPR Cover the United Kingdom?
Citizens in the United Kingdom too, will be covered by the GDPR, despite Brexit. The UK government has been keen to stress that it is looking to secure the unhindered flow of data between the UK and the European Union. Companies will no longer misuse a user’s personal data by presenting them a couple of default tick boxes. Personal data can now be protected personally too as plans to give people the right to delete their post from childhood on social media were brought up by Theresa May in her election campaign and since then measures have toughened and the legislation will now give people the power to have all their personal data deleted and companies will have to comply.
These measures only increase the security and confidence a user has when dealing with a company, as now they don’t have any records against them or hidden about them. Everything is transparent and will be in place effectively by May 2018.