What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation that aims to give individuals in the European Union (EU) control over their personal data. Another objective of this regulation is to provide a simpler regulatory environment for international business within the EU.
How Did the GDPR Evolve?
The precursor to the GDPR was the Data Protection Directive which was adopted in 1995. The GDPR contains requirements associated with the processing of the personal data of individuals located in the EU.
The GDPR was adopted in 2017 and became effective on May 25, 2018.
What is Personal Data According to the GDPR?
The following types of data are considered personal in the context of the GDPR:
- IP address
- Sensitive data, such as genetic or biometric data, that could be used to identify the owner of the data
Who is the GDPR Applicable to?
Almost every large enterprise in the world will need to consider GDPR compliance. This is because the GDPR applies not just to organisations within the EU, but it also applies to any organization that may be outside the EU but offers services or goods to enterprises and customers within the EU.
The GDPR requires that organizations that handle the personal data of users must:
- Use techniques, such as anonymization of collected data, to protect the privacy of users.
- Design their information systems with a focus on privacy.
- Either get consent from the user for processing their data or have other legitimate purposes for processing the data.
- Report any breaches in terms of data privacy.
- Appoint a data protection officer (DPO) if the organization’s core activities involve personal data handling.
- Clearly disclose data collection, its purpose, how long the data will be retained, and whether the data is being shared with third parties.
What is the Cost of Non-Compliance?
The fine amount depends on how severe the privacy breach is. It also depends on the amount of effort the company has taken to adhere to compliance requirements and regulations.
Organizations that are found to have violated the GDPR could be fined up to €20 million or up to 4% of the annual turnover of the previous financial year in the case of an enterprise, based on what is higher. This is a figure that could run into billions of euros for large organizations.
The highest fine of €20 million or 4% of worldwide turnover is for organizations that have violated data protection rights, have not put data protection procedures in place, have transferred personal data across international borders without authorization, or have ignored the user’s requests for their data.
Examples of GDPR Data Breaches
In early 2018, the Facebook-Cambridge Analytica data breach occurred. The personal data of millions of Facebook users was used by Cambridge Analytica, without consent, for the purpose of political advertising. This was done through an app that was created by a Cambridge academic. The app used not just the personal data of users who responded to a questionnaire, but also the data of their friends. In response, Facebook issued an apology and testified in Congress.
Facebook also faces having to pay several billion dollars in fines for accidentally storing millions of user passwords in plain text for several years. During that period, more than 20,000 employees had direct access to those passwords. While there was no evidence of misuse, Ireland’s data protection commission (DPC), which is Facebook’s privacy regulator in Europe, announced that it would be investigating the matter to see if Facebook had breached the GDPR. If a violation was found, then Facebook would be looking at a fine amount of approximately $2.2 billion.
Just a week after GDPR came into effect, CNIL – the French data protection authority – received complaints about Google from two non-profit organizations. One non-profit claimed that Google forced Android mobile users to accept Google privacy policies and consent to the use of their data for advertising purposes. The other mentioned that the personal data of users was being illegally processed by Google for advertising.
Changes Since the GDPR Was Introduced
Ever since the rollout of the GDPR in 2018, there has been an impact on several organizations. According to Forrester, many organizations have seen a reduction of between 25% and 40% of their total addressable market since the GDPR was enforced. They have also had to re-evaluate their data center strategy. For technology companies, this has been an opportunity to market the privacy features of their products.
The CEO of Apple, Tim Cook, has mentioned that the United States would also need an equivalent to the GDPR. “”Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency,” said Cook.
The GDPR has impacted policy making around the world. Several countries have signalled that they would either be modifying their privacy laws or introducing new legislation. This includes South Korea, Brazil, Japan, India, and other countries.
To learn more about the GDPR, click here -> GDPR