— General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals in the EU. It is set to be implemented on 25 May 2018.
GDPR is an attempt to update data protection for the 21st century and make Europe ‘fit for the digital age’. It is a direct descendent of the 1995 EU Data Protection Directive and a culmination of four years of efforts to make data protection more relevant to how the world works today.
The importance of data today is almost impossible to exaggerate. Amazon, Google, Twitter and Facebook all offer their services in exchange for your data. In the past weeks, the Cambridge Analytica scandal has proven why this is an extremely important exchange, with its poster boy implication being that 50 million Facebook profiles were harvested to influence the results of the 2016 US election. GDPR then, is a response to this pseudo-abuse of data, and was created in order to tidy up the law and protect users from such shady practices happening again.
GDPR came into force on 24 May 2016 after it was collectively agreed on by all members of the EU. The upcoming deadline is simply when the regulation will come into effect for all businesses and organisations within the EU in its entirety. GDPR will provide organisations with more clarity regarding the legal environment of data usage. The fact that it will be adopted by all member states leads the EU to believe that it will allow companies to collectively save €2.3 billion annually.
There are major changes included in the regulation. The definition of personal data, for example, has been expanded significantly, and now online identifiers such as IP addresses qualify as personal data. Other data, including economic, cultural and health info, is considered as personally identifiable information.
Further to this, controllers (those who state how and why personal data is processed) must ensure that data is processed lawfully, transparently and with clear purpose. Once the purpose is fulfilled, it must now be deleted. The controllers must also keep a record of how and when the individual provided consent, allow withdrawal of said consent at any time, and permit access to the data at “reasonable intervals”. The controllers must also describe what is occurring with regards to data in plain language so that an understanding is accessible to everyone.
Even more importantly, individuals can now request data which is incomplete or incorrect to be rectified. Furthermore, it is now in the rights of individuals to have their data deleted if they believe it is no longer necessary or being used for different purposes for what it was collected. This is what is known as ‘the right to be forgotten’ and is probably one of most tangible changes consumers will be able to explore following the introduction of GDPR.
Businesses which fail to meet these new standards can be fined up to 4% of their global turnover or €20 million. If you’d like to know more about the upcoming regulation, can explore GDPR more here.
So what is GDPR? It is a mitigator or runaway data monopolies which are currently acting unethically and a bridge to a brighter future in data (and consumer) protection.