On May 25, a new law called the General Data Protection Regulation (GDPR) is going into effect in the European Union. The law was created to protect EU citizens from potential abuses, like the recent Cambridge Analytica scandal. Though the timing may seem coincidental, this law has been in the works for more than four years. GDPR will replace the Data Protection Directive (95/46/EC) of 1995.
Under GDPR, companies can be fined up to 4% of their worldwide annual revenue from the previous financial year. This is a staggeringly large penalty. A violation could cost Facebook, for instance, up to ~$1.6 billion. The number would be much greater for companies such as Google and Amazon.
1 – Consumer Control
When GDPR takes effect, you’ll be able to ask companies what information they have about you and then (if you want) ask them to delete that information. This applies to all companies, including tech companies, banks, retail sites, and even your boss.
Anyone who suspects a company is misusing his or her data can file a complaint with the national data protection regulator, who will investigate the claim. You’ll also be able to file class-action-style complaints. GDPR also offers something called “data portability,” which requires that businesses allow users to download their data and move it to a competitor. To learn more about data portability, read this.
2 – Nowhere to Hide – Even US-Based Businesses Will Have to Comply
According to Article 3 of the GDPR, the regulation will apply to
- … the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- …the processing of personal data of data subjects who are in the Union by a controller or pro cessor not established in the Union, where the processing activities are related to:
- (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
- … the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public internat ional law.
Under this regulation, any business in the European Union will need to adhere to GDPR, as well as any company that has EU clients or customers. While it’s easiest to comply with GDPR (even if your business isn’t based in the European Union), there are ways you could get around it:
- You could geofence (prohibit access from certain IP addresses) your website and deny access within the European Union.
- You could identify EU residents within your user base and adhere to GDPR for those users only.
While both of these solutions are technically possible, neither is a good option; it’s costly and impractical to run parallel systems. There is also the risk of improperly identifying a user, which could lead to fines. As such, nearly every major company that does business overseas – even companies not based in the European Union – are planning to comply with GDPR.
3 – If You Collect Data, the Burden Is on You
No matter who you are or where you live, if your goods and services are available online, GDPR is going to have an impact on how you collect and use data. Here are a few steps you should take today:
- Know what data you have, how you got it, and whom you share it with. To achieve this, you may need to perform a data audit.
- Review your privacy notices, and update them to ensure that your data collection process is concise and written in plain English.
- Determine whether or not you’re required to formally designate a Data Protection Officer (DPO, who would be either an internal employee or outside advisor).
- Ensure you have a system set up to detect, report, and investigate data breaches.
These suggestions are just a starting point. For a detailed, helpful guide toward becoming GDPR compliant, review this PDF on ICO.uk. (The ICO is the Information Commissioner’s Office, the United Kingdom’s representative in the European Union’s Article 29 Working Party.)
Depending on your field of work, you may be impacted by GDPR more than others may be. For instance, email marketing now requires proof of opt-in. You can no longer pre-check boxes to automatically sign members up for newsletters, or have a box to opt out; instead, you’ll be able to collect and use email addresses only if members opt in. You must also have proof of opt-in (as defined in the regulations).
If you have an existing mailing list, there are several options you could take to ensure compliance:
- Delete the entire list and begin anew. (Easy, but not very practical.)
- Attempt to separate EU members from non-EU members. (Could be difficult, and includes a risk that if you miss any EU members, you could face a fine.)
- Ahead of May 25, email your list and have everyone on the list re-opt-in. (Best option.)
4 – As a Normal Person (not a Business Person), You Might Like GDPR
As companies update their privacy policies, they’re notifying their users via email. Look through your inbox; you’ve likely gotten several dozen over the past few weeks.
GDPR gives you the ability to control how businesses interact with you and handle your data. But there’s a bit of a catch: you need to read the notices and take control of your data.
Do you want to be tracked? Do you want to be forgotten? Do you want to download your data? GDPR is giving you the option to control the way advertisers interact with you, but it requires that you do some work. It’s easy to archive, delete, or altogether ignore these emails, but you should take the time to read them. A key component of GDPR says that companies must tell you, in plain English (not “legalese”), that you have options when it comes to your data.
5 – This Is Going to Hurt – Until Someone Finds a Work-Around
The data governance pendulum has swung to the far side. GDPR is going to be extremely hard to comply with. Especially for American businesses that do only a small amount of business in the European Union. No one really knows how the European Union will enforce GDPR, who the GDPR police are, or how draconian they are going to be. This will reveal itself in the fullness of time.
For now, consumers should take advantage of the right to be forgotten, the right to control their data and their privacy.
For businesses, it’s time to get your data governance in order. The good news is that the internet is a big place, and you would need to be in extreme violation to even show up on the GDPR radar. The bad news is that if you do, the fines are insane.