Everybody’s talking about the European Union General Data Protection Regulation right now, and for good reason. The EU GDPR is a broad, powerful piece of legislation that came into effect on May 25th, 2018, and has rewritten the rules of privacy in Europe and the rest of the world, for business and consumers alike. If you're not up-to-date on the new law, or if you’re just curious about what major organizations like Echosec have done to comply with GDPR, then read on!
1: You control your data
As an individual, there’s a lot of data in the world that’s about you. This data can include your name, your phone number, your online username, your social security number, or your IP address. Anything that’s unique to you, as a person, is your personal data. Under GDPR you have several rights to control the use of your own data. You have a right to request organizations to tell you what personal data they hold about you. You also have a right to access that data, to correct it if it is inaccurate, and to erase it if you withdraw consent for your data to be used. You have a right to restrict what an organization can do with your data, and to object to automated decision making that affects you. You even have the right to transfer your data from one organization to another. That means you could even move your data from an uncooperative company to one of their competitors! These rights provide only a 30-day window for the company to comply, so you’ll get quick responses if you send in requests.
2: Consent is purpose-driven
- You download a mobile game to your phone
- The game or app asks for your contacts so they can find your friends who are already playing
- The game owners may store your contact list and use it to send promotional emails to your friends, or even sell your contacts to companies for building spam mail lists.
#3 is no longer allowed. Your data will only be used for what you agree to.
3: Penalties that actually affect big companies
Time and again, we hear about major corporations suffering a major breach and being penalized with a simple slap on the wrist. Perhaps they were fined millions of dollars, such as the AT&T breach that cost the company $25 million in 2015. Although that sounds like a lot at first glance, it’s a drop in the bucket compared to the company’s quarterly revenue of $33.0 billion reported for that quarter. GDPR’s solution is to make fines scale based on the company’s revenue. Under GDPR, serious breaches can earn fines of up to 4% of the company’s worldwide annual turnover or 20 million Euros, whichever is higher. So, large companies failing to comply with GDPR may face enormous fees.
4: GDPR - A single European regulation
Before GDPR, there was the EU Data Protection Directive. This directive instructed the member nations of the European Union to draft privacy legislation under a common framework. Unfortunately, because it was only a directive, each nation in Europe drafted their own privacy legislation, and each set of legislation was slightly different, with separate sets of restrictions and separate approval processes. Getting approved in France for example, did not guarantee that you’d also be approved in Belgium, and going through a separate approval process for each nation in Europe was a nasty headache for any non-European company trying to enter the market.
GDPR simplifies matters. As GDPR is a regulation, not a directive, it provides a single set of laws that apply to the entirety of Europe. If you’re compliant with GDPR, you are compliant with privacy law throughout Europe, simple as that. This evens the playing field, making it easier for privacy-minded organizations to comply with the single, unified European privacy regulation, rather than spending time managing dozens of slightly-different laws.
5: Data Protection Officers
Having a person in charge of privacy at a company isn’t new. GDPR makes it an explicit requirement. Companies handling lots of personal data must have a DPO to serve both the internal needs of the company and the requests of the outside world.
DPOs need to possess a varied skill set. They must have a solid grasp of the legal requirements of GDPR, they must have an understanding of the technologies being used to handle personal data, and they must be able to interact well with executives and project managers while developing new projects and applications. That means a DPO must have legal skills, technical skills, and people skills to perform their job well, making quality DPOs a valuable commodity. If you possess these qualities, there might be a future for you in privacy protection!