GDPR regulations are to be enforced from the 25th of May, and it is going to have a strong impact on the largest tech firms, including Google and Facebook. It will replace the earlier law called the Data Protection Directive.
GDPR will be effective on all tech companies based in the 28 EU countries as well as those based outside EU but who provide services to the EU. There will be strict rules on processing PII or personally identifiable information, and controlling the personal information of users.
The aim is to give back control over personal data back to European Union residents. If you’re based in EU, it will not be very easy for Google, Facebook and other social media to gain access to your personal information. Let’s take a closer look at GDPR and understand how it will affect various entities:
What is GDPR?
General Data Protection Regulation will be replacing the earlier data protection law. All companies who process or hold any EU resident’s data, even if they are not based in the EU will have to follow GDPR regulations.
Thus, many tech companies are unaware that they would be liable to legal action by EU if they disregard GDPR. If any organization anywhere in the world provides services, goods to EU residents, as well as monitors EU residents’ behavior, it would have to comply with GDPR.
The result would perhaps change the manner in which customer data is stored, collected and used. Technology companies would also have to pay high fines if GDPR regulations are not met with. Other important clauses in the new act include breach notifications, responsibility to transfer data out of EU and opt-in consent. These and other essential items are suspected to impact businesses in a huge way.
The Key Policies of GDPR
The GDPR regulations’ emphasizes on filtering out confusing and vague statements from people in order to get them to give their personal data. With General Data Protection Regulation, companies will no longer be able to extract consent for various things at one go.
This is what is expected to be the game changer, as firms will now have to formulate different statements to gain different data. Another aspect is that companies will have to make it easier for people to withdraw their consent as well. For minors under the age of 16, a parent or anyone holding responsibility equivalent to a parent, has to opt-in for data collection on behalf of the children.
Consumers get control of their data
Another major aspect of the regulation is that EU customers will now be able to know how and for what purpose their data is being used. Consumers therefore will have more control, and will have the right to know how where their data is used; but will also have the right to be forgotten.
That is, they can ask their data to be erased and ask third parties to stop using/processing it too. If you are a resident of the EU, you can ask companies to ‘forget’ you too. Alternatively, transfer your data to your preferred service provider.
Protection of data from hackers
Cyber security has become one of the major concerns today. We hear a lot of cases where websites have been hacked and personal information has been leaked or lost. Keeping these factors in mind, the GDPR authorities have come up with a particular regulation.
As per the rule, in the case of a data breach, customers/members have to be notified within 72 hours. This rule is applicable for any company that deals with personal or sensitive information of customers. Failure to do so can result in drastic consequences and even fines.
What are the punishments for breaking rules
Fining is at many levels, as there are different fines for different violations. A firm can be fined only 2% for their records not being in order, and for non-notification of data breach or for not conducting impact assessment. These rules are applicable to both data processors and controllers.
There is a huge price to pay (literally) for non-GDPR compliance. If any organization is found to have breached GDPR, it will have to pay 20 million Euros or 4% of its global annual turnover, whichever amount is bigger.
This spells trouble even for companies that make billions every year, as they will have shell out a huge amount for any breach. The 4% fine is the highest fine that can be implemented for serious violations
What is the impact on major tech companies
Firms have been preparing for GDPR regulations for the past two years. As the GDPR compliance deadline is approaching, companies like Facebook, which have millions of people’s data on file, are releasing new privacy tools to comply with GDPR. Experts are expecting both Monthly and Daily Average users to fall a little. Many companies have already implemented GDPR regulations, ahead of the GDPR compliance deadline in May.
Basic privacy data protected by GDPR
The GDPR regulations protect the following privacy data:
- Name, ID Numbers, address i.e. a person’s basic id information
- Web information i.e. IP address, location, RFID tags and cookie data
- Genetic as well as health information
- Biometric data
- Ethnic or racial data
- A person’s political opinions/ideologies
- Sexual orientation
Which sectors are going to be the most affected
According to industry experts, the technology sector would be most affected by GDPR. This would be followed by online retail sector, software and financial sectors, SaaS services sector and packaged goods.
Who would be held responsible for GDPR compliance within an organization?
GDPR has defined many roles within organizations who would be held responsible for ensuring GDPR rules and regulations – Data controller, Data Protection Officer (DPO) and Data Processor.
Data controllers would define the manner in which personal data is used and processed. These people would also be responsible for ensuring third party compliance.
Data processors would consist of internal group who process or maintain personal records. It will also include outsourcing firms who perform part or all these activities. So, if your firm falls within the ambit of GDPR, you would be held responsible for data breach, and not your processing partner.
The DPO would oversee the security strategy as well as GDPR law compliance. Public authorities like law enforcement might probably be exempt from appointing DPO. Companies must appoint a DPO for two main reasons
- If they store or process huge amounts of EU residents’ data
- monitor the data’s subjects and/or are public authority
Organizations have spent and are spending millions of dollars to change their privacy tools before the May 25 deadline. GDPR is good news for internet users in EU as their data privacy would be protected legally. It would also lead to more transparency as to the use of personal information and give users more leeway to allow or withdraw consent to the use of their valuable information.