A digital privacy change in Europe three years in the making takes place this week, and because our world is one big interconnected web, it is likely to affect you.
GDPR, or General Data Protection Regulation, is a European Union law created to put more protection and control back into the hands of individuals. Theoretically, an individual has the power to find out what data a company is collecting about themselves. This includes when data held about them is used to make decisions; for instance, your credit information. The individual has the right to request that this data not be used to make those decisions; to have those algorithms explained; or have data deleted if it’s been used for a different purpose from which it was collected, they reverse their permission, or if it was collected for a different purpose.
Regulators have much more power to enforce compliance across the whole block, instead of having to work individually in each country, with a new range of fines available to be used against anyone discovered of improperly handling data. Properly handling data means that data needs to be encrypted as soon as possible. Data needs to be deleted by the company when the relationship ends, even if not requested by the client. Any test data used in development needs to be depersonalized. Any data breaches need to be reported within 72 hours of discovery, and anyone affected by those breaches needs to be notified. This affects any company based in Europe or which does business in Europe and has any kind of European foothold.
Last year, the credit monitoring company Equifax had a security breach exposing the personal data of 143 million people. If GDPR were in effect at the time and Equifax was based in Europe, it would have faced billions in fines and likely forced out of business.
Understandably, this is creating consternation in an industry that hasn’t really been that open to this kind of scrutinization. Most EU companies are having to adapt and adopt new terms and conditions, and new data policies to be compliant, possibly even dropping wholescale models of data harvesting they had employed. Explicit consent to collect data has to be granted by individuals before companies can collect anything or it must be a vital part of the activity they are conducting.
Theoretically, although this doesn’t apply to the U.S., given the size of the EU, many companies will roll out GDPR-style policies worldwide, as it’s easier than creating regional policies, although many reserve the right to apply the policy differently in other countries. It’s unclear at the moment whether you can insist to see all the data Amazon holds on you or have parts of that information deleted if you live in the U.S., although you would be able to as a United Kingdom citizen (even post-Brexit as that law will continue past next March when the UK leaves the EU).
For online services, most sites will bring up a box as you login asking you to opt in or out of various options before using the service. Any personalized publicity offered must be able to be opted out of, with generic publicity can be shown in its place. Some companies are taking the approach that you have to opt in to receive any service; if you opt out, you will not be able to use their service, including services like Facebook. The large majority of Europeans will click through those terms without a thought because they want to use the service. It’s also likely that these companies will make all their users worldwide agree to the new terms, so, even in the U.S., you should expect to see more and more of these requests over the next few days.
Depending on the legal advice received by an EU company or organization, the implementation for non-online services appears to be following the same standards. Most are communicating to say that their terms and conditions are changing. Many will ask you to accept these terms and conditions, which contain a permission-to-store-personal-data clause, either in an email or a clickable web page, thereby continuing the relationship you have with them. That click must be recorded and provable. Others have even gone as far as emailing a form you need to print, fill in your details by hand and mail it back to them, which in all but the most intensely held relationships will result in the company losing almost all of their subscribers. Most are gaining permission somewhere between the two options.
If you decide to ignore these emails, it will probably mean that you will no longer receive communication from that entity, as your data should be deleted by law. Resubscribing should be easy enough and will give your consent for the company to hold your details in order to communicate with you. It seems likely that some companies may rethink their approach when they discover they have lost most of their subscriber base. Whether this happens before May 25, 2018, is another thing. Most experts believe that very few companies are ready for GDPR, although it looks like companies have two years to fully comply with the new law.
Facebook has worked to lessen the number of members who fall under the GDPR by moving any members residing in countries outside of North America and Europe from terms and conditions based in Ireland, where they previously were tied, to the U.S. and Canada.
If you have customers in Europe, you need to understand the implications of GDPR because it will affect you, even though you may not have a physical presence anywhere in Europe. You will need to explicitly ask permission before storing any customer data for European citizens and keep a record of the response. You need to delete that data when the relationship comes to an end and be prepared to send any information you store on an individual to them on request. That information needs to be encrypted while at rest on your computer system. If you are part of the supply chain for them, you may need to fully comply with GDPR in order to maintain the contract.