Cyber Security

What Is the GDPR Regulation?

The GDPR stands for the General Data Protection Regulation. This is a legal framework that went into effect in the European Union earlier in the year. The GDPR sets guidelines for privacy and collection of data. Although it only applies within the European Union, many companies found it easiest to follow the regulation around the world. This allows for similar operations worldwide while complying with GDPR in the EU.

Most people are aware of the GDPR, if only because of the vast number of privacy policy updates. When GDPR was about to go into effect, most people had their inboxes filled. Dozens of emails let them know about changes to privacy and data collection policies due to the adoption of GDPR. The regulation went into effect on May 25, 2018.

What It Includes

The GDPR outlines principles for managing data as well as the rights of individuals. Additionally, it sets out fines based on revenue. The regulations outlined in the GDPR apply to every company dealing with data of citizens within the European Union. It is particularly important for financial institutions, such as banks and insurers. It also applies to other companies.

What GDPR Replaces and Its Improvements

The GDPR policy replaces the 1995 Data Protection Directive. Until the arrival of the GDPR, this previous policy laid out the minimum standards of data processing within the EU.

Compared to the Data Protection Directive from 1995, the GDPR strengthens individual rights. Specifically, people have more power to compel companies either delete or reveal personal data being held. With the GDPR, regulators can now work together across EU. Previously, they had to rely on separate actions for every jurisdiction. Furthermore, the enforcement abilities of regulators improve. This comes from the maximum fine being now set to 4 percent of a company’s global turnover or €20 million, whichever is higher.

Specific Ways GDPR Protects Data

The European Union already had a general policy of data protection but felt that more was needed. The GDPR requires companies to notify users that they collect their data, within the EU. The regulation also includes the requirement of obtaining explicit consent to collect that data. Companies must have a dedicated data protection officer on their team and notify users in the case of a breach or hack.

How GDPR Impacts Companies

Nearly every single company operating within the EU needed to make some sort of changes to comply with the GDPR. Financial institutions had to make more adjustments than other types of companies due to the sensitive data used. Technology firms, data brokers, and marketers are also heavily impacted. The rules outlined in GDPR apply to every type of company. Human resources departments must follow GDPR when collecting and storing data for records. The GDPR even applies to seemingly simple information such as IP addresses anytime you use online services.

Additionally, the regulation encouraged companies to pseudonymize any personally identifiable information (PII). This pseudonymizing should occur before processing. It ensures that it is impossible to link data back to the person it corresponds to. Thanks to pseudonymization of data, some firms can continue large data analysis. Without this process, firms could only analyze the data they originally collected with a clear purpose.

Overall, the companies facing the greatest impact from GDPR are those that acquire then exploit consumer data. Companies now need explicit consent in an informed manner. Half-hearted consent hidden amidst legalese in privacy policies is no longer enough.

 

Challenges of GDPR

It should come as no surprise that such a far-reaching regulation as GDPR comes with its own host of challenges. There was a great deal of criticism for GDPR. Opponents of the regulation pointed out that it could lead to an administrative burden for member countries of the EU.

Additionally, while the guidelines were clear as to who must comply, there was not enough information. For example, social networks, as well as cloud providers, were included. At the same time, there was no consideration or outline for employee data.

Thanks to the GDPR, it is also impossible for companies to transfer data outside of the European Union. The only exception is if the destination country guarantees similar protections as GDPR. Because of this, many companies had to change their business practices.

There are also high costs associated with GDPR. These arise from changes companies must make as well as administrative and regulatory costs. Opponents to the GDPR also feel that the costs may rise due to a need for general data education.

To round it all out, various member countries of the EU and data protection agencies may interpret the GDPR differently. When this occurs, there can be conflicting information. That disagreement may also make it harder to agree on standard data protection levels.

How GDPR Impacts Large Tech Companies

Because of the vast amounts of data they collect, large technological companies were heavily impacted by the GDPR. Most began taking action well before the GDPR officially went into effect in late May 2018.

Facebook, for example, enhanced its offering of privacy tools. These included a new tool called “access your information” where users could find, download, and/or delete particular data. The combination of new tools aimed to give users additional control over privacy. There were also new terms of service.

Apple followed a similar set of actions. They had their own dashboard privacy. The tech giant also took the opportunity to brag about its minimal data collection in comparison to other companies. While Facebook and Apple made major announcements about their updates, Google did so quietly. Every tech giant took a slightly different approach.

Predictions for the Future of GDPR

Those familiar with GDPR feel that it is here to stay. Considering that it successfully remained in place throughout 2018, this is likely to be the case. Experts feel that the requirements within the GDPR are sufficiently clear. Combined this with the fact that consequences for failing to comply can be serious enough to impact a company. This encourages companies to actually make changes and comply with the GDPR. By comparison, some businesses ignored previous regulation due to seemingly minimal consequences.

Of course, there will be legal challenges to specific components of GDPR along the way. By this point, many court decisions have already taken place, but more will likely be in the future. Even so, it seems as if GDPR will be able to withstand the challenges as court cases have upheld it so far. Time will tell if GDPR remains the norm or the EU supplements the regulation. It also remains to be seen if other countries will follow suit.

Leave a Comment