Has your email inbox been filling up with privacy policy updates? It seems like every service, app or subscription I’ve signed up for (including more than a few I’ve forgotten about) is sending me one. And the reason is that on Friday, May 25, 2018, a new law takes effect in Europe — the General Data Protection Regulation aka the “GDPR.” If you don’t know what that means or how it affects you, read on.

1. The General Data Protection Regulation gives the European Union the power to hold businesses and organizations accountable for how they collect and handle personal data — your data.

Businesses and organizations have had two years to get ready. This wasn’t a sneak attack by the European institutions. The GDPR went on the books in May 2016, giving anyone who collects customer data plenty of time to prepare.

2. Even though it’s driven out of Europe, the GDPR impacts the whole world.

If you live outside of Europe, you’re probably wondering what a European law has to do with you. Thanks to something called “territorial scope,” any organization that deals with data of EU residents must comply with the GDPR for those individuals, which impacts global organizations like Apple and Facebook. Even though they are not strictly required, some organizations are taking a principled (and perhaps easier) approach, providing the same set of controls and protections to non-EU residents.

3. It’s filling up in your inbox. 

We’ve all been bombarded with emails about updated privacy policies and terms of service. It’s (mostly) not fallout from the Cambridge Analytica scandal, it’s because organizations are getting their policies and practices into GDPR compliance. Bonus points: All those emails are a hint to disconnect from services you’ve forgotten about.

4. You already have control of your privacy and all our products.

Our organization and its people are rooted in in a commitment to privacy. We feel like the rest of the world is catching up to where we have been all along.

5. Data privacy is by design and by default.

Organizations collecting or using personal data will have to consider privacy throughout the entire lifecycle of products and services. That means that from the day teams start designing a product, service or feature, privacy must be top of mind. It also means that initial app and service settings will be set toward privacy by default so as to comply with the GDPR, and it will be your choice to change or turn them off as you prefer.

6. Policies and Terms of Service should be easier to understand.

The GDPR requires data policies to be written in plain language so you can better understand what you’re consenting to. Now is a good time to revisit the privacy and data policies of the services you use and update your settings. Here are a few to get you going:
– Apple
– Facebook, Messenger and Instagram
– Google: Privacy Policy updateYour Account
– LinkedIn
– Microsoft
– My Fitness Pal
Snap
– Twitter

7. You have the right to take your data with you to another service.

This principle of “data portability” means that you (1) have visibility into the data an organization has collected about you, (2) can move that data to a different service provider (such as a competitor) without losing the data history you’ve built up, and (3) are getting closer to being the keeper and beneficiary of your own data. How that will happen isn’t totally clear yet.

8. You have the right to be forgotten.

In addition to having the right to your data, you also have the right to request its erasure

9. Data breaches will be reported to regulators much faster.

The GDPR has a “72-hour rule” which means that controllers must report a breach to its supervisory authority within three days after becoming aware of it. In theory, you should find out more quickly as well, when there are high risks to your “rights and freedoms” as laid out in the 72-hour rule.

10. Violations will cost big.

Like, really big. In the past, penalties for irresponsible data collection and management were low enough that it was, perhaps, more profitable for big players to eat the fines. Now, however, “organizations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).” While it’s still unclear what a “significant” violation would be, here’s how a fine could add up for for Alphabet, the holding company of Google. Alphabet made $110 billion in 2017, so a significant violation against the GDPR could result in a whopping $4.4 billion fine. (!!!)

11. What’s good for users is also good for business.

Storing personal data isn’t without risk (see #9.) Stronger data and security practices decrease the risks associated with personal data collection and processing for both users and organizations. This is not negligible: in 2015 data breaches have cost on average USD 3.79 million per impacted company, without mentioning lost customer trust and public relations fallout.

12. Less data, more trust.

It’s sad but true that some organizations don’t even know what data they have or where it’s being stored, and the GDPR encourages organizations to think twice about the amount of data they collect. Plus, they need to justify their purposes for collecting it. At Mozilla, we put these principles into action and advocate for businesses to adopt lean data practices. The GDPR represents an opportunity for more businesses to be leaders when it comes to data collection by choosing to collect only what is necessary for providing a product or service, rather than casting the widest possible net.

13. The GDPR is a floor, not a ceiling.

Mozilla wants users to have meaningful controls and for there to be sensible privacy settings that aligns with users’ expectations. The GDPR provides a baseline set of rules, which helpfully lay the groundwork for more ethical approaches to data collection and processing. It’s is a step in the right direction, but the devil will be in the details for most organizations. New privacy controls, even if they technically comply with the GDPR, won’t help if they are too difficult to use and if organizations aren’t committed to the underlying principles that shaped this regulation. Still, we like that it will encourage a culture of responsible privacy, empowering the individual to have control and choice over their online experience.