On 25th May, the rules regarding data privacy and collection will change. The EU’s General Data Protection Regulation (GDPR) will increase the rights of EU citizens over how their personal data is collected and stored. GDPR also gives EU citizens the right to be “forgotten,” meaning all their data should be deleted upon request. Crucially, the regulation is a world first in internet data regulation as it will apply to any organization around the globe that collects information on EU citizens, regardless of where they are based. Consequently, many companies that are not able to distinguish between European citizens and the rest of the world in an efficient manner due to the internet’s global character are already applying EU’s new regulations to all of their users, regardless of their locations and citizenships.
Unfortunately, the majority of companies have yet to update their policies and procedures, and, with only a few weeks to go, risk facing heavy fines for non-compliance amounting to €20 million or 4% of their global income, whichever is more.
Previous litigation not enough for GDPR
Since 1995, the EU’s Data Protection Directive (DPD) has defined personal data as any information that can be used to identify someone, including their name, email address, phone number and number IDs. Organizations had to seek consent to collect user data and use it.
However, loosely worded terms and conditions, advancing technology and globalization have all enabled organizations to circumvent the DPD in their efforts to boost their online marketing campaigns. Especially, by positioning their servers “offshore” from an EU member state, organizations inside the EU were able to avoid these strict rules.
What is the GDPR?
The GDPR redefines “personal data” to include other common means of identifying a user online—including online behavioral habits and geolocation or mobile device identifiers—and businesses can no longer collect data on EU citizens from third-party sources (e.g. data scraping from social media sites). Instead, they must seek direct consent from the users themselves. EU residents will also have the “right to be forgotten”—i.e. that all of their data is removed from your servers at any time.
The GDPR also insists upon greater protection against data breaches by demanding organizations to meet certain minimum-security requirements on any servers that house personal user data. Be aware that even if the servers are owned by a third-party company, organizations collecting user information will still be liable for any breaches of sensitive data, so it would be wise to ensure any partners also comply with the new regulation.
GDPR, while technically an EU regulation, is already influencing data protection across the globe. Most organizations don’t currently discriminate between nationality when storing or handling user data, so the GDPR will likely be enacted as though it were global litigation, with organizations affording the same rights to everyone.
Twitter’s new privacy policy announcement ahead of Europe’s new data regulations policies shows already the sweeping effects of GDPR. Interestingly enough, Twitter’s new privacy policies go into effect on May 25, the same day when GDPR becomes law.
On the other hand, Facebook and Linkedin among others, are already moving their servers out of Europe to decrease their liability under EU’s new data protection regulations and limit these new user rights to Europe’s citizens. Previously, these companies were registered in Ireland to benefit from its low corporate tax rates. In the case of Facebook alone, more than 1.5 billion users will be moved outside GDPR’s space.
Most organizations are still not ready for GDPR
Some surveys have found as few as 11% of businesses are ready for GDPR, with only 44% saying they are “somewhat prepared.”
As well as facing unprecedented fines from the data protection regulators in EU countries which will enforce the new laws, EU citizens will also have the right to demand compensation from any organisation that fails to meet their rights to transparency or removal of their data. Thus, non-compliant organisations don’t only face a huge monetary hit, but will likely suffer reputational damage, too.
The good news
Fortunately, company and government leaders remain hopeful the GDPR will have a long-term positive effect on businesses; 71% believe that complying will enable them to improve their data governance overall, while 30% believe publicly declaring compliance with GDPR will improve their organization’s public image.
If your organization relies on the use of customers’ personal data in any way, it is imperative you create and enact a plan to comply with GDPR. While it might require a sudden and unexpected investment, conforming with these regulations is mandatory if you collect any EU-resident data and in the long run, will help you to win over more privacy-aware users.