Today, the European Union’s General Data Protection Regulation (GDPR) will come into effect, meaning all companies that do business in the European Union will have new privacy data compliance regulations for the first time in around twenty years. The new regulation’s ramifications are pervasive for consumers and data handling companies both in and out of the E.U..
Why should people outside the E.U. care?
Consumers in the U.S. may want to glance over these new rule changes because new policies directly the E.U. However, many companies that must adhere to GDPR with their privacy policies intersect with companies that handle privacy data for a global client base. This presents an opportunity for these companies to streamline their policies so that American consumers reap benefits of GDPR compliance. Microsoft recently confirmed such a trend, declaring that they will apply GDPR regulations for Microsoft consumers worldwide.
These new regulations impact U.S. business owners as well, regardless of their size. These business owners must make sure the GDPR protects their European client base. Lastly, the GDPR provides opportunity for each company to examine its own statutes that protect of citizens’ personal data. To support this noton, the regulations include provisions that restrict data transfer outside of the E.U.. This provision targets countries that fail to achieve an “appropriate level of protection.”
What does it mean to be GDPR compliant?
While it’s hard to dispute the importance of all businesses and consumers understanding the importance of GDPR compliance, it’s just as hard to understand what constitutes being GDPR compliance. GDPR compliance can be broken down into the responsibilities held by companies in the two major roles of data handling: the responsibilities of the data controller, and the responsibilities of the data processor.
Compliance: Data Controllers
Data controllers are the entities that controls and claims responsibility for the usage of personal data, both electronic and analog. Under GDPR, the data controller holds the burden to create a contract with each of its data processors.
To achieve GDPR compliance, companies must disclose their basis for companies to process clients’ personal information in privacy policies. Companies must also disclose the ways that they gather and process personal information. Data controllers must allow customers to opt out of profiling or individual automated-decision making, features that make decisions for customers without human involvement; an example of individual-automated decision making is the recommended items feature that firms like Amazon and Google utilize. The GDPR specifies that data controllers must provide customers equally accessible means to withdraw consent as it was for them to initially give consent to the control of their personal data. Data controllers must receive consent from a legal guardian to process data for children under the age of sixteen. Lastly, the GDPR mandates that any high-risk processing is subject to a Data Protection Impact Assessment (DPIA).
Compliance: Data Processors
Compliance: Shared Duties
The most significant shared duties that data processors and data controllers must uphold deal with new protections for E.U. citizens. The GDPR grants customers the right to easily request access and update their personal information; they can also easily request that controllers delete their personal data and processors. Companies must also automatically discard unnecessary personal data. Customers can also request that controllers deliver their data to themselves or an independent third party. To maintain accountability, both data processors and data controllers must appoint Data Protection Officer (DPO) to oversee the data protection strategy and ensure that their company is maintaining GDPR compliance.
Consequences for non-compliance?
If firms fail to prove that they are following the rules set by the GDPR. Failing to reach these compliance regulations incurs fines up to 4% of their global revenue €20 million ($23.4 million). Regulators will take the larger of the two fines.
What does this mean for personal data regulation?
For the customer of a controller of personal data, the pervasive nature of the GDPR regulation ensures that customers have the means to hold these controllers accountable. Data breaches allow for private information to be collected for unknown use without consent. Facebook’s breach impacted upwards of 87 million of its users and accountability for its role in the breach as a data controller could only be realized after the breach occurred. In Facebook’s case, it took around two years for the knowledge of this breach to be made public. GDPR’s expansion of explicit protections and rights for customers of these companies shifts agency to the consumer.
Under GDPR personal data regulations, Facebook, as a data controller, would evaluate high-risk processing initiatives using the DPIA evaluation process, safeguarding consumers against data processors that may take personal data into their own control. The required disclosure of data controllers’ associated processors and gathering methods grants the consumer two foreseen protections. Consumers can trace their data beyond the data controller to processors and subprocessors. In doing so, controllers can no longer anonymously incorporate consumer data into trend analysis.
Potential Limitations to the GDPR
The expansive breadth of the GDPR’s territorial and material scope, these guidelines may potentially draw an interesting line regarding privacy regulations for the future. Where digital data controllers, can simply scrub their data of personal information to keep doing trend research, analog controllers do not have the same ability. The GDPR does not restrict companies that must adhere to regulations by size. This means that independent contractors that handle small-scale analog data still are subject to these data regulations and fines.
Experts do not know how to resolve conflicts between GDPR compliance and foreign legislature. A country that companies store billing receipts for a certain period of time may not allow their companies that distribute to E.U. citizens to scrub personal data despite consumers’ requests. The line of where personal data ends is also unclear; a person’s face (used for facial recognition software) constitutes personal data and may be subject to GDPR protections. Lastly, while consumers can ask that personal data be scrubbed as part of their “right to be forgotten,” companies still have algorithms, that they exclusively own rights to, that identify a past consumer and prospect them on platforms. In a sense, the damage may already be done.