GDPR and You: What You Need to Know about Europe's New Privacy Laws
Introduction to GDPR
Now, before we break into GDPR and what it is, I feel the need to preface this with this: it is best-practice to actually read privacy policies and terms of service before you interact with or use any application. I know this seems like a monstrous chore, especially since the average policy takes around 10 minutes to read completely. These are the terms on which these services get to use your data, how they protect it, and how and what they intend to gather, amongst other things. Unread privacy policies are a contributing factor as to why data scandals like that of Cambridge Analytica and Facebook happen—people are blissfully ignorant of how these products and services are going about using and sharing their data (and usually it's printed right in the policy).
The General Data Protection Regulation came into effect across the European Union (EU) on May 25, 2018 and applies to every single company that deals with the data of EU citizens. This isn't to say that it only affects EU citizens, however, as companies like Facebook and Twitter are global, and deal with that data almost every moment of every day. GDPR, by definition, is a legal framework that sets regulations and guidelines for the collection, processing, and handling of personal information of individuals within the EU.
What is GDPR?
This new set of regulations requires companies that collect data (read: all companies on the internet to some extent) to handle the collection and use of the data in specific ways. To start, companies must now get explicit consent to gather any personal data from a user. Not only must they get explicit consent, but that consent must be easy to revoke by the user at any time. This adds a much greater level of control to how the data gathering is managed and allows users to have complete control of when they share data, and with whom.
The GDPR also implements new boundaries on data breaches. Companies are now required to supply a timely breach notification when a data breach occurs. This entails producing a report for customers and any data controllers within 72 hours of the discovery of the breach. This parameter seems like a no-brainer to me, and had a rule like this existed in the past, it could have helped to protect hundreds of thousands of users from breaches like Equifax. Failure to report these breaches can now result in HUGE fines as well.
The Right to Access Data is probably the most relevant to our readers and is something we're seeing more and more from services like Facebook, Instagram, and Google. This part of the GDPR states that users have the right to request a copy of their data, and the service must provide a complete and detailed free electronic copy of their data, as well as a few examples of how that data is being used. There was a trend in early 2018 of people downloading their Facebook data and gawking at the huge amount of data was actually stored, and this is the reason for that—GDPR forces companies to be transparent with what they are collecting and how they are using it.
In conjunction, users have the Right to be Forgotten, or the Right to Data Deletion. This simply states that, by a users request, a company must totally and completely erase all personal data they have on a user. Now, you should be aware that personal data is not ALL of the data collected, especially online. Your demographic profile will probably still exist for marketing purposes, but things like your name, email, phone number, date of birth, etc. will be required to be removed.
GDPR also requires that users' personal data be portable, or that users have the right to their own data. If a user chooses to move to another service, their data must be provided in a timely fashion, and in a semi-universal format, so the data may be reused by the other service. This concept moves us towards universalizing our data, making it fluid, and making it hassle-free to move between services.
The biggest, and arguably most important tenant of GDPR is an idea of Privacy by Design. This, simply put, means that systems for data collection, storage, and use must be compliant with the proper security protocols from the very beginning. This, combined with a global focus on security, means that our data should become less easy to access by prying, unwanted eyes, no matter what service the data is in.
Why GDPR, and the Concepts Behind It, Are Important
Now, the explanation above is all-but a gross oversimplification of GDPR, but it explains the core tenants that are most relevant to the basic end-user. If you would like to read more for yourself, check out The European Commission's page on the new rules. All of this culminates in the idea that users should have much more control over how, what, and when they share their personal data. And after the gross mishaps with Facebook and Cambridge Analytica, Equifax, Yahoo!, Under Armor, and so many more companies in the 2010s, it's about time we start focusing on privacy and security when it comes to data.
Now, you may be saying to yourself, "But I live in the United States, why should I care about Europe's new data privacy laws?" This isn't an unqualified question by any means, and for the most part, you don't need to worry about them—right now. The fact of the matter is that in a perfect world, these rules would apply to every single person on the planet, not just those in the EU. And with the way companies are embracing these regulations, and building tools to allow for compliance with them, it's only a matter of time before similar rules come into effect here in the US, whether as a law or as a pact between companies to provide an equal, fair, and transparent service to all of their users.
On the same note, companies like Facebook, Google, and Instagram have already created publicly facing tools to retrieve your data from their servers, and many people are already taking advantage of these. Like I mentioned previously, the data downloads were a novelty at first, with people sharing how much data, and what types Facebook had stored on them, but these tools are more than that. These tools are a way to understand the data that is being gathered on you, and to allow you to see just how each little, seemingly inconsequential input adds to the overall profile that is you, online, to advertising and data collection companies.
How to Retrieve Your Data
I mentioned that several services will allow you to get a copy of your data from them, even as US citizens. These include Facebook, whose process is relatively easy and just requires you to click a button within your settings; Google, who requires you to log in and then select which services you would like to gather your data; and Instagram, which simply asks you to provide an email for them to send a download link to. Since GDPR is in full swing as of writing this post, I'm sure there are several other services who have download tools like these, and more and more should be cropping up as time progresses.
Does It Directly Effect You?
Does your business need to be GDPR compliant? Well, that really relies on two factors. First, is your business based in the EU, or do you have a branch in the EU? If you answered yes, then GDPR effects you, and you need to be GDPR compliant. Otherwise, you must ask if you have any clientèle based in the EU. If you answer yes to this question, then GDPR also directly affects you. If it affects you, we recommend taking the necessary steps to become GDPR compliant, and fast, as the fines for not being compliant can range from €20 million, or up to 4 percent of your annual revenue, whichever is greater. Smaller offenses only get fined half of that, but that's still €10 million, or 2 percent of your annual revenue.
This means fines of between roughly $12 million and $24 million. To put this into a little bit of perspective, between Google, Facebook, Instagram, and WhatsApp, over $9.3 billion in potential fines were racked up in the first 24 hours of GDPR taking effect. People and companies are becoming more proactive when it comes to their data and how it's handled, and have proven that they are standing up against shady data collection practices.
Does your company need the tools to become GDPR compliant? Are you looking for more information on GDPR, data privacy, or security? Let us know with the form below, or by starting a conversation on our corresponding Facebook or Twitter posts. Data security is a top priority for the development staff at Armor Techs, and we'll make sure that your customers' and business's data is secure and transparent.