In April 2016, the General Data Protection Regulation (GDPR) was approved. The GDPR is a piece of European Union (EU) legislation that aims to improve data protection for EU citizens. European authorities have provided companies with two years to comply with this new legislation, but their time to prepare is just about up. As of May 25, 2018, the GDPR will take effect and replace the previous law called the Data Protection Directive. Users have been concerned with data privacy following the recent Cambridge Analytica scandal. Perhaps the GDPR could put their worries at bay.
The new legislation could profoundly affect companies around the world, including technology giants, like Google and Facebook. Below, we will explain what the GDPR is, who it will affect, and what the repercussions are for non-compliance.
What is the GDPR?
In essence, the goal of establishing the GDPR is to give consumers within the EU more control over their personal data. The new legislation will not only impact businesses in the EU, but also companies outside the area that handle EU consumer data. According the Facebook, “While many of the principles build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards and substantial fines.”
Some of the basic requirements in the GDPR include:
- Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
- People have a right to withdraw consent, which must be brought to their attention
- Must be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent/guardian
- Explicit consent is required for some processing (e.g., special categories of personal data)
- If a business or a third party has legitimate interests that are not overridden by individuals’ rights or interests.
- Processing must be paused if objection is raised by an individual
- Data processed must be necessary for the Service and defined in the contract with the individual
The GDPR aimed to strengthen the current conditions of consent. Businesses will not be allowed to use any vague statements regarding consent, and they will have to make it easy for consumers to withdraw their consent, and. Clear language will be required when companies are requesting users’ consent. Requests for user consent will also have to be “unbundled” and kept separate from other terms and conditions.
Who is affected?
The GDPR does not discriminate based on company size – Any company that uses the personal data of EU citizens will be impacted by this change. Whether a company has 2000 employees or 10, they will need to comply.
If you are unsure whether the GDPR will affect your business, the chart below will help you determine whether your business will impacted or not.
Given the important changes that will need to be adopted soon, it is likely that most companies affected by the GDPR have already restructured their practices. Many large companies have released statements to explain what actions they are taking to comply with the GDPR.
Facebook made the following statement regarding their preparations: “Data protection is central to the Facebook companies. We comply with current EU data protection law and will comply with the GDPR. Our GDPR preparations are well underway, supported by the largest cross-functional team in Facebook’s history. We’re also expanding our Dublin-led data protection team, which is leading these efforts.” Facebook recently launched new data privacy tools, which will help them to adhere to the new legislation.
What are the repercussions?
Failure to comply will be very costly for companies. The fines for non-compliance range will anywhere between 20 million euros, and 4% of a company’s annual global turnover. They will be fined whichever amount is greater. These hefty fines will presumably deter companies from breaching GDPR laws.