Amid the controversial data breaches which affected millions of people around the globe, the European Union (EU) finally implemented the General Data Protection and Regulation or GDPR as part of its data protection reform. The objective is not only to protect user data but also to give them the right to know where and how their information will be used.
As early as 2012, the European Commission embarked on a mission to reform data protection across the members of the EU. In 2016, member countries came to an agreement designating 2018 as the year the GDPR would be fully enforced. In May 2018, it came into force.
GDPR institutes a unified law across the EU and member nations. Organizations operating within or have dealings in the continent need to follow one set of rules. While it is being implemented within Europe, it basically affects a huge percentage of companies around the world.
How does GDPR work?
Now that businesses are digitizing their companies, consumers are compelled to do their transactions online. It means they provided these companies with their personal information — bank records, credit card numbers, health records, etc. — to avail themselves of certain services. It means one’s information is there for the taking by anyone or any organization unless the company has an existing and effective data protection system.
Aside from user information being compromised, the GDPR also hopes to avoid the scandal that hounded Facebook recently, where Cambridge Analytica was able to access and harvest information of 87 million users and allegedly used them to help elect US President Donald Trump.
User information or personal data include name, identification number, and location data or online identifier. The GDPR also defines user information as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
Organizations operating within the EU and/or offering services to the EU need to comply with GDPR.
GDPR designates two types of data handlers: processors and controllers. In GDPR’s FAQs, it defines the controller as someone or an organization who will determine what purposes of the use of the data while the processor is someone or an organization who will process personal data “on behalf of the controller.” The latter is also legally responsible for maintaining personal data records and how they are processed.
When companies lose revenue when a data breach happens, the consumers are the biggest victims. The information they trusted to an organization has been stolen and are exposed for the cyberworld and cybercriminals to see.
GDPR established stricter rules on the conditions of consent. If before, the terms and conditions are too long to read that users just click on “I accept” without fully knowing what they are agreeing to, the new rules direct companies to make these request for consent easy to understand and do away with the legalese. “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice,” the GDPR states.
GDPR gives power to the consumer because now they have the right to know if and when their data were compromised. Unlike before, when only if the hacking was exposed will organizations inform customers, GDPR requires companies to inform their country’s regulating or national privacy entities within 72 hours of the breach. Organizations also have to be specific about how they would use consumer data.
Consumers can opt out of a mailing list. Organizations need to seek the users’ permission if they will be included a mailing list sent out periodically.
Data Erasure allows users to ask data controller to delete all of their data. It is also known as the “right to be forgotten.”
Organizations that fail to comply with GDPR will be “fined of up to 4 percent of (the company’s) annual global turnover for breaching GDPR or €20 million or around $24 million. This is considered the maximum penalty for serious infringements such as violating the core of Privacy by Design Concepts or not enough consent to process user information.
If companies do not have their records in order, they are set to pay a fine of 2 percent as part of the tiered approach to fines. Companies will also be penalized if they didn’t notify national governing bodies and users of a data breach. GDPR emphasizes that penalties apply to controllers and processors.
Aside from notification, companies are required to provide information on the extent of the data breach and how much data were compromised.
Ultimately, companies need to draw their own set of guidelines to comply with GDPR. The strategy depends on what information and consent the company needs from its customers.
GDPR was put into effect to minimize the risk of data breaches and “uphold the protection of personal data.”