- Do you live in an EU member country?
- Do you have a business that is registered in an EU member country?
- Do you have a business anywhere in the world with customers in an EU member country, or do you plan to in the future?
If you answered “Yes” to any of these three questions, I suggest you take a break, make yourself something to drink, and start reading. The GDPR is important to you, it will affect your life and business, and you need to take the time to understand what it means.
What is the GDPR?
When it comes to privacy laws, every country has its own set of regulations created to protect the privacy and rights of individuals. In 1995, the EU created the Data Protection Directive, which aimed to regulate the processing of private data within the European Union.
Since then, there have been no new regulations or changes. When it comes to technology, it’s safe to say that quite a lot has changed since 1995. Today, we do everything online, from shopping and banking to learning and communicating with family, friends, and colleagues. The world has changed, and the way our personal information is used has changed as a result. It was time for regulations to change as well, in order to protect the privacy of individuals in this new “Age of Data”.
In 2012, the EU began working to create a new regulation with this goal in mind – protecting our personal information and giving us control over how it is shared and used. We give our information on a regular basis to social networks, online shops, banks, and various online services every single day. Creating a regulation that could protect our privacy while still being realistically implemented and regulated was not an easy task. It took the EU four years until the General Data Protection Regulation (otherwise known as the GDPR) was approved by EU Parliament in April 2016.
Sounds like old news, right? It’s 2018, after all. Well, like I said, this is a complicated issue, and businesses need time to adjust their business models and technology in order to comply. The GDPR takes effect May 25, 2018, giving companies around the world just over two years to get ready. That is why you’ve probably been getting emails from Google, Microsoft, Facebook, and other giant corporations letting you know of their privacy changes. It’s all part of being GDPR-compliant.
Who does the GDPR affect?
This regulation affects every single citizen and business in an EU member country, as well as every business that processes information of EU citizens, regardless of the location the business is registered. As an individual, it is important to understand this regulation in order to know what your rights are, and what you can demand from companies that have access to your sensitive data. As a business, if your business or target audience is in an EU-member country, the GDPR applies to you as well, and you need to find a way to comply or face heavy fines. Businesses outside of the EU with EU customers are faced with either changing their target audience and business model to exclude EU countries, or taking the necessary measures in order to comply, because the fines are too high to risk non-compliance.
Non-compliance fines are tiered, which means they vary depending on the type of breach or non-compliance involved. They can reach up to 20 million euros, or 4% of annual global turnover, which is significant and can even mean the end of many businesses.
What exactly does the regulation say?
The GDPR is based on the Data Protection Directive, the existing legislation established in 1995. However, because the world of data has evolved since 1995, the GDPR has made several significant changes to the existing policy. Here are the most important of these changes:
People rarely read “terms of consent” or “privacy” agreements today, because they are so long and loaded with unfamiliar terms that the reader’s eyes glaze over. Under the GDPR, terms and conditions must be clearly worded and jargon-free, so that customers will understand what they are agreeing to. Consent for data use must be given in a separate form, also accessible and easy to read.
Higher Control over Personal Data
Once a customer has agreed to let a company access their data, the GDPR aims to give them increased control over the use of that data. Under the new policy, customers have the right to know which of their data can be accessed and for what purpose it is being used. In the interest of transparency, companies must make this information available upon request with no extra charge.
Further, the GDPR gives ordinary people the “Right to Be Forgotten,” which allows them to request that all of their personal data be permanently deleted. Once the data has been erased, all use of that data by third parties must come to an end immediately. Withdrawing consent for data use should be as easy as granting it.
The GDPR also allows people to transfer their personal data from one company to another – a right referred to as “Data Portability.”
In the 1995 legislation, it was not clear to whom the legislation applied. Today, the GDPR aims to cover a clearly defined and larger jurisdiction. The new policy is applicable to all companies that use data from the EU, regardless of where the company itself is located. In other words, an American or Singaporean company could still fall under the GDPR’s jurisdiction if it deals with the data of EU residents.
Mandatory and Prompt Alerts
In the situation of a potentially risky breach, companies must notify users within 72 hours of discovering the breach. A company which discovers a breach, but only reports it weeks or even years later, would be susceptible to penalties under the GDPR.
These are only some of the new developments the GDPR introduces. While the above covers the main issues that will probably interest a private individual, I recommend going through the regulation itself on the EU website, especially if you are a business.
Does the GDPR affect blockchain technologies?
Like other online technologies, blockchain is under the jurisdiction of the GDPR, and will be subject to all of its regulations. Understandably, some of these regulations will be difficult to apply for blockchain, for several reasons. For one, its decentralized structure makes centralized policy such as the GDPR difficult to enforce. Also, blockchain makes data deletion almost impossible so that it will not be easy for users to withdraw their data upon request at a moment’s notice.
Legislators and blockchain developers alike are exploring potential solutions, including separate “off-chain” databases for personal data. The GDPR is unlikely to “destroy blockchain”, according to experts, but there will be changes in order to ensure compliance.
What can businesses do to comply?
The most important step for businesses is to become familiar with the new regulation and become aware of the personal data in their possession. What kind of data do you have, who does it belong to, and what is it used for? Once you have this information, you need to make your customers aware of it as well.
Other concrete steps include:
- Rewriting “Terms & Conditions” and “Privacy” agreements for optimal ease, as noted above
- Instituting a clear and user-friendly process for data withdrawal
- Appointing an officer and/or department to take charge of user data
- Creating efficient detection and reporting procedures in case of a data breach
Both from a legal and a marketing standpoint, non-compliance could end a business. Giant corporations like Google have the budgets and capabilities to change their technologies, methods, and systems to comply, but small businesses don’t have that luxury. Because of this, there are a number of companies today that provide services to help with compliance in payments and other data-processing services.
For private individuals and businesses alike, it’s important to know the new rights and responsibilities included in the GDPR. Whether for EU citizens or the businesses who work with them, this legislation will have a major impact on the way personal data is handled. While the GDPR is big news in itself, as it introduces a massive change in privacy laws in the EU, it also symbolizes a new era. Experts expect more regulations around the globe to be introduced in the following years as more privacy and data breaches occur. We individuals want to be able to use online services freely and safely, and new privacy laws and technologies are a reflection of that.