On May 25, 2018, the General Data Protection Regulation, or GDPR as its known, went into effect. Anyone who has spent even a minute on the internet in the last month has likely been bombarded by pop-ups and updated terms of service notifications related to the GDPR. So, what is GDPR and why should you care?
What is the GDPR?
GDPR is the new regulation of the European Union intended to improve data protection and increase privacy and transparency. Any business that offers services or products to EU citizens is affected by these regulations, as are all websites and apps that collect personal information from EU citizens.
If you own a website, you need to understand the GDPR. Companies that do not comply, regardless of their base of operations, will face considerable fines or other penalties if found not in compliance.
Pros of GDPR Compliance
Over the last few years, it seems there has been a new story every other week about a database breach or a company sharing their data with a third party without their users’ knowledge. The GDPR attempts to minimise this to protect the consumer.
As a business owner, the GDPR also protects you by making the data you collect more secure. When your customers feel safer providing their personal information, they are more likely to continue doing business with you.
Contents of the Data Protection Policy according to GDPR
The new Data Protection Policy can be split into three general categories.
First, the GDPR sets forth what information can be collected and how people are informed about data collection. Websites must now provide a clear and readable explanation of what data they are collecting. This is the reason websites are updating their terms of service.
Secondly, it firms up Data Subject Rights (DSR). Users must be informed what data is being collected and must have access to that data if desired. Companies must be able to organise and provide personal data when requested. Also, users can revoke their consent at any time after it has initially been given.
Finally, the GDPR is being used to shore up data breaches through greater transparency and stricter security protocols. Companies that deal with “significant” personal data will now be required to employ a Data Protection Officer to oversee data collection and GDPR-compliance.
This third prong is a response to the flood of data breaches that have occurred in recent years. Far too often, when a company had its data breached, they attempted to cover it up or downplay the severity. These new regulations are aimed at preventing further deceptions.
Data protection and cross-border transfers
If you or your business are based in the United States or another non-EU country, you might be wondering why an EU regulation can have jurisdiction over you. The simple answer is it doesn’t, so long as you are fine forfeiting all EU clients or business associations.
The EU is one of the largest and most lucrative business markets in the world, which is why most international companies are willingly complying with the GDPR.
Companies outside the EU are still scrambling to ensure GDPR compliance. Even European territories not in the EU must rethink their data protection policies. There are GDPR services for companies hoping to achieve compliance.
The United States has so far been unsuccessful in crafting its own set of uniform data privacy regulations, which has hampered efforts to improve global data protection. In the absence of a global standard for data protection, the GDPR exists to usher in uniformity throughout the 28 nations of the European Union.
Chapter V of the GDPR sets forth the rules for cross-border data transfers. Data collected by a GDPR-compliant party is often passed to a third-party country outside of the EU’s jurisdiction. The GDPR requires that country reach a certain level of “adequacy” in data protection for a transfer to occur.
For countries that do not currently meet this level, Chapter V lays out increasingly stricter (and, likely, more expensive) protocols for the transfer to be permitted.
If a country does not achieve adequate levels of security, or if it fails to reach the requirements of Chapter V, it will essentially be shut out from online business in the EU. That’s a massive incentive for nations to comply with the GDPR, which makes these regulations the de facto global standard for data protection.
Data Subject Rights
Ultimately, GDPR is about putting the control of data back in the hands of the consumer. Safeguarding Data Subject Rights is the impetus for the rules and the reason why we need them so much.
Whether you are a consumer or a business, the GDPR is designed to make you and your data safer. Time will tell how effective these regulations are and whether companies fully comply. For now, though, it’s a major step for improved data protection, and everyone should appreciate that.
You may also like: Five Steps To Improve Data Security and Prevent Risks