You’ve probably received more than a few “Terms of Service changes” emails in the last few weeks from sites you don’t even remember subscribing to promising increased transparency, improved functionality, and GDPR compliance. What’s going on?
Europe’s General Data Protection Regulation (GDPR) went into effect May 25th, 2018 in all member states “to harmonize data privacy laws across Europe.” This law replaces the relatively ineffective and mostly ignored 1995 Data Protection Directive, which established the minimum standards for processing data in the European Union. The EU was motivated to draft these new rules that were seven years in the making in order to better protect vulnerable consumers in an era of frequent data leaks and escalating cyberattacks.
Who is affected by GDPR?
GDPR applies only to the EU, but any company that holds or uses data on people inside the EU is subject to the new rules, regardless of where the organization is based. Because of the large scale involved, many companies, including Apple and Facebook, are applying the law’s terms worldwide. Stuart M. Gerson of Technology Employment Law explains: "GDPR applies worldwide as to any company that offers goods or services (even if they are free) within the EU or collects, processes, or maintains (anywhere) personal data about European residents (again, not just citizens)."
The companies most affected by GDPR are “those that hold and process large amounts of consumer data: technology firms, marketers, and the data brokers who connect them,” explains The Guardian. No longer able to exploit consumer data, companies must now obtain explicit and informed consent to process data, and consent must be renewed if the use changes.
The cost of complying with the regulation places a huge burden on some companies. It's estimated that Fortune Global 500 companies spent roughly $7.8 billion to prepare for the new rules, according to CNNMoney (London).
The penalties for non-compliance are steep, with large firms subject to fines of up to 4 percent of annual global sales. Penalties for smaller firms are capped at $23.5 million.
What does GDPR mean for internet users?
Because even smaller U.S. organizations that don't do a lot of data processing may nonetheless handle some data belonging to persons located in the EU, many U.S.-based companies are adopting the GDPR's terms for safety and uniformity. In these cases, United States citizens enjoy the same rights as EU residents as of May 25. According to CNBC, these include:
- The right to be informed about the collection of personal information.
- The right to access information via a subject access request, and companies must provide the information within a month at no cost. If data contains inaccuracies, companies must correct it.
- The right to have personal information erased completely from servers, or restricted: Companies can store data but not use it. Exceptions include information that’s used for law enforcement purposes, or data that’s required to provide a service an individual is requesting.
- The ability to move or copy personal information from one source to another (data portability).
- The right to object about data use for direct marketing and profiling.
All of these rights are in accordance with the EU’s primary goal for GDPR of achieving a global shift toward "privacy by default."
Want to learn more about earning your online MBA – Information Security/Assurance degree from Johnson & Wales University? Our exciting accelerated-schedule program launches in Fall 2018. Complete the “Request Info” form on this page, or call 855-JWU-1881.