Since the General Data Protection Regulation (GDPR) was created by the European Parliament and Council in April 2016, companies from tech giants to small businesses have buzzed with anticipation for its implementation in May 2018. The law replaced the 1995 Data Protection Directive (DPD) which previously set the rules for data regulation. The GDPR sets strict legal conditions for the collection and use of personal data from businesses. Its influence spans across all continents, as it affects not only just businesses operating in the EU, but also any business that provides services to consumers in the EU.
This landmark legislation will set a precedent for other governing organizations that will need to make decisions about data collection and privacy in the near future. Breaches in data such as the Cambridge Analytica scandal in 2018 and Uber’s data breach cover-up in 2016 have caused consumers to be increasingly aware of how their personal data is being used and what is at risk when their data is shared. In other words, consumers want more control over their data and GDPR aims to give consumers that control.
The reception of this law by the public has been mixed. While most people agree that an updated law that protects personal data is necessary, there are disputes about how the GDPR is or should be executed. Some of the problems with the new law include its complexity and the hefty fines imposed on businesses that don’t comply.
The complaint that the GDPR is too complex and overbearing is persistent from the government level down to the individual level, and understandably so. The official Regulation published by the Official Journal of the European Union spans 11 chapters and 99 articles of jargon-laid terms and legal concepts that the layperson may find difficult, if not impossible, to understand.
One way to better understand the GDPR is to compare it to the previously enforced DPD. The directive was created in 1995 to protect EU citizens’ personal data, and had many of the same components as the GDPR, such as consumers having access to their data, consumers being notified when their data is being collected, and companies ensuring that the data collected is secure and not being misused. However, although well-intentioned, many aspects of the DPD were outdated. And since the world of data has changed immensely, it became imperative that governments readdress and rework the rules for data regulation.
There are six main differences between the GDPR and DPD. The first is the definition of personal data. At the time the DPD was created, personal data mainly referred to the consumer’s address, phone number, name, and email address. Now, however, companies have access to substantially more data such as IP addresses, fingerprints, face scans, photos, live physical location, search and purchase history, ethnicity and other identity markers, and much more. Data like this can be used by companies for advertising and customizing user experience, but consumers have become increasingly more concerned for their safety and privacy because of the incredible amount of information companies can collect about them. The shift in what personal data means for consumers and companies is the foremost important change the GDPR makes.
The next change has to do with individual rights, which mostly consists of explicit consent from users and straightforward terms of agreements. No longer can companies use drawn out and obscure agreement contracts that users cannot understand and do not know what they are consenting to. Users will also be able to access their own data, halt access to data, and request that their data be deleted. These changes will be monumental in data collection, as they give autonomy back to the people and prevent companies from taking advantage of their consumers.
The change of dynamic between data controllers and data processors will also evolve under the GDPR. Data controllers can be persons or agencies that determine the purpose and means of controlling data, whereas data processors process that data for the controller. Different from the DPD, the GDPR will hold both data controllers and data processors accountable for ensuring data security. Large-scale companies will also be required to appoint Data Protection Officers to conduct assessments and monitor activity that involves data collection and use.
The GDPR outlines swift and detailed procedures for data breaches and security. Companies are now required to immediately notify all users of data breaches, detailing the extent of the breach and the possible outcomes. Any company that fails to comply with these procedures, as well as the rest of the procedures as outlined by the GDPR will be heavily fined. In the past, penalties for non-compliance were poorly regulated and rarely enforced. Now, “companies could pay up to 20 Million Euros or 4% of their global turnover (whichever is greater.)”
The biggest problem that corporations have had with the GDPR is how massive and sweeping the legislation is—many companies will have to entirely restructure how they collect and use data, which will cost time and money. For example, German company Allianz “has spent tens of millions of euros to get ready for the GDPR, mobilizing hundreds of privacy experts from 80 subsidiaries to make changes including a redo of online insurance applications to avoid requesting information—such as an applicant's profession—that is unnecessary for an insurance quote.”
Tech giants and credit card companies are not the only businesses that are subject to the new rules—anyone that collects data will have to comply with regulations. According to Kinesh Patel, co-founder of SevenRooms, “Even restaurants in the U.S. are worried about complying with the law, because they gather and keep information about EU residents who make reservations when traveling.” Every company will face different challenges while implementing GDPR rules as there is not a one-size-fits-all for data regulation.
Before now, the world of data has been a free-for-all, with companies having minimal rules and punishments for collecting and using consumers’ personal data. But this lawlessness has not been without consequence—in 2018 alone, millions of people were affected by data breaches that compromised users’ personal information. Most notably, in March 2018 it was revealed that the data firm Cambridge Analytica had “used data improperly obtained from Facebook to build voter profiles” for United States’ political campaigns. This is just one of many examples of people’s personal information being compromised or used for purposes the user did not consent to.
Because of massive scandals like this that have been reoccurring in the last few years, users have become increasingly aware of their data privacy and security, and are demanding change. A recent Pew Research Study found that “91% of Americans “agree” or “strongly agree” that people have lost control over how personal information is collected and used by all kinds of entities.” Even though it will be difficult and expensive for companies to implement changes set forth by the GDPR, in the long run it will likely benefit the company as users are demanding this change. With increased data security, consumers will be more satisfied and brands will gain reputability.
The new regulations laid out in the GDPR are undoubtedly complicated, but because of the immense number of companies and countries the legislation must cover, it has to be inclusive and thorough. Furthermore, the EU, as well as other entities and publications have published documents that are publicly available online that simplify and break down the GDPR rules. Understanding the rules will be a learning curve for companies, but will not be impossible. Especially considering that the GDPR requires many of these companies to appoint an individual who specializes in understanding and upholding the regulations. The effort and cost it will take to understand the GDPR is a small price to pay for securing critical personal information and data.
The EU’s push for data security and control has set a precedent for other countries—the high standards set by the GDPR is already creating an expectation for other governments to follow suit. In the United States, for example, data regulation has been a highly debated topic in the past two years as data breaches have impacted citizens in major ways, namely during political elections.
Some states in the U.S. are beginning to implement their own laws that incorporate aspects of the GDPR; most notably, the California Consumer Privacy Act. This article explains that, “While it doesn’t go into effect until 2020, the California Data Privacy Protection Act represents one of the most sweeping acts of legislation enacted by a U.S. state to bolster consumer privacy. Falling on the heels of the GDPR, California’s Data Privacy Protection Act may mark the beginning of stricter U.S. consumer privacy protections.” Other states must soon follow in these steps in order to keep up with the task of data security and regulation.
The General Data Protection Regulation is indeed complex, but it is a critical step toward data security. For many companies, the GDPR will mean a complete restructuring of data collection and use—redesigning programs and implementing new systems so that data regulation is incorporated into the design at every stage. This massive undertaking will not be easy, and in the coming year we will better understand what aspects of it work and what needs to be amended, added, or reworked. However, it will serve as an example to other governments of the effort and consideration that must go into data regulation so that consumers can regain trust in corporations and regain control of their personal data.