I’m sure everyone of us have recently noticed the bombardment of emails regarding update in privacy policies from companies such as Facebook, Twitter, Venmo, Medium, Spotify, etc. Yet very few of us bother reading those lengthy unpleasant emails. Me neither! (Of course, until writing this post).
In the aftermath of Cambridge Analytica scandal, being a tech savvy proponent of data privacy, I decided to dig deep to understand what the heck is GDPR? and why should average daily consumer care about it?
The Who?
General Data Protection Regulation commonly known as GDPR is proposed by European Union (EU) as a replacement of their obsolete Data Protection Directive 95/46/EC, which was more two decades old. According to EU Charter of fundamental rights Article 8, EU citizens have the right to protect their personal data.
The What?
GDPR essentially is a law to protect “personal data”. Personal data can be any information relating to an identified or identifiable “natural person” (any living human being). For example, name, address, localization (IP address), health information, income, cultural profile, political opinions, etc. Full text of GDPR can be found here.
The Why?
GDPR is bring in place to strengthen rights of the individuals over their own data privacy. Old law, which was a directive written back in 1995, was written before smartphones and plethora of gadgets we use day in and day out existed. With new technologies collecting data about every aspect of user, ne was increasingly felt to up the ante for data privacy laws. Hence, the GDPR. Unlike directives, regulations also force it consistently to 28 EU countries, making easier for companies to comply and for regulators to prosecute.
The When?
GDPR was introduced in April 27, 2016, and it has already been in effect since 25th May, 2018. However, there are still concerns about what compliance means. Hence, it is estimated that for initial few years EU would use this law to educate users, give guidance to companies, and adjust as time goes on.
Why should I care, I’m not an EU citizen?
Well, if you do business in Europe or collect data of European citizens in any way direct or indirect (through 3rd party providers), you’re under GDPR’s ambit. Moreover, following GDPR, most companies have decided to apply same rules and regulations to their data irrespective of the country you live in. For example, this email I received from Medium clearly states implication for all the users.
What should businesses do to comply?
Though GDPR might seem like a lengthy complicated document. In reality, it is a simple effective tool to protect users’ data. It asks companies to focus on data protection by design. Here’s a simple checklist you can follow to ensure compliance:
1. Communicate:
- Use simple language.
- Tell users who you are when you request data.
- Specify why you need their data, how long it will be stored, and who receives it.
2. Ask for explicit user consent:
- Get clear consent to process user’s data i.e. no more fooling around users by pre-checked boxes.
- In case of children’s data, check age limit for parental consent.
- No more willy-nilly sharing of data to third parties.
3. Inform and Warn:
- Inform users of data breaches within 72 hours. (Verse 85 of the law)
- Give people the right to opt out of direct marketing that uses their data.
4. Safeguard sensitive data:
- Use extra safeguards for information on health, race, sexual orientation, religion, and political beliefs.
- Make legal arrangements when you transfer data outside EU approved countries.
5. Erase data:
- Give users “right to be forgotten”. Erase user’s personal data permanently, if they ask.
No Trespassing: Violators will be heavily prosecuted
According to Article 83, infringement of GDPR provisions can lead to “administrative fines up to 20,000,000 Euros or 4% of total worldwide revenue of the preceding financial year, whichever is higher”. For a company like Facebook, 4% of revenue would mean a fine of approximately $1.5 billion!
In conclusion, I believe GDPR is a great move by European Union to protect users’ data privacy. Other parts of the world should consider taking a page out of GDPR’s book.
Get freshly brewed hot takes on Product and Investing directly to your inbox!
