What is the General Data Protection Regulation and why should us Yanks care?
When I started seeing tweets about GDPR in my feed from people I didn’t think would have any interest in internet data privacy regulations, I figured it was time to get educated.
So what is GDPR and why should I care about it? GDPR stands for General Data Protection Regulation. Passed in 2016, it is the European Union’s new set of personal data protection and privacy rules. The two years the EU gave website operators to comply expire May 25, so that’s why we’re starting to hear so much about it.
The GDPR establishes rules for the types of personal data companies can collect and store for European users. The GDPR gives individuals the right to find out whether, where and how their personal data is being used.
The new rules make paramount personal data protection, with users given ownership of their data and even the right to request that it be deleted. Additionally, website operators are now required to report all data breaches within 72 hours.
According to the European Commission, personal data includes, “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Under the GDPR, a business or government agency can still harvest user data, but to use this data it must obtain the user’s consent in an easily-understood way. Penalties for violation of the regulations are stiff, with fines up to four percent of annual global revenue or 20 million euros, whichever is greater.
It would be easy to assume that the new regulation is a product of the recent disclosure of Cambridge Analytica’s abuse of Facebook user profile data. While the GDPR affects Facebook like any other online company, the timing is strictly coincidental. Passage of the law preceded the Cambridge Analytica scandal by nearly two years.
While the GDPR was not in place to prevent that episode, its provisions will make it difficult for such an entity to explain or justify similar data harvesting in the future.
But protection of individual privacy is only assured to the extent that users modify their privacy settings. GDPR won’t help if users continue to allow their data to be harvested despite having this newly-expanded right to say ‘no’.
As you might expect, compliance is proving difficult for small businesses. And for even large businesses, the trick before worrying about ongoing collection is determining what, and where, user data already exists.
Undoubtedly, you’ve been seeing requests to consent to new privacy policies on websites you use. Some of this is surely a result of the GDPR as these regulations apply not just to European-based sites but also international sites with EU users.
Moreover, some sites are likely applying the new regulations to all users just to be safe or because they feel it’s simply best practice.
So what do Americans need to do about the GDPR? Well, if you operate a website with users who are European residents, you definitely need to achieve compliance by May 25. Here is a good overview of the necessary steps from a CIO magazine contributor.
Even if you limit data collection to non-European users, you might consider adopting GDPR-like standards anyway. At the least, your users will thank you for them, or perhaps soon come to expect them.
If you are a user presented with a new opportunity to better protect your data, review your options carefully and consider taking advantage.
What about US?
With a Republican-controlled Washington D.C. taking advantage of every opportunity to scratch an anti-regulation itch, GDPR-like legislation in the US seems unlikely any time soon.
Then again, if there’s one constituency GOP legislators don’t mind sticking it to, it’s tech companies like Facebook in progressive Silicon Valley.
What are the chances the US promptly adopts a regulation similar to GDPR? Your guess is as good as mine.