What is GDPR?
General Data Protection Regulation (GDPR) is a regulation that aims to give control to individuals in the European Union (EU) over their personal data. Another objective of this regulation is to provide a simpler regulatory environment for international business within the EU.
How Did GDPR Evolve?
The precursor to GDPR was the Data Protection Directive that was adopted in 1995. GDPR contains requirements associated with the processing of personal data of individuals located in the EU.
GDPR was adopted in 2017 and became effective on May 25, 2018.
What is Personal Data According to GDPR?
The following types of data are considered personal in the context of GDPR:
- IP address
- Sensitive data, such as genetic or biometric data, that could be used to identify the owner of the data
Who is GDPR Applicable to?
Almost every large enterprise in the world will need to consider GDPR compliance. This is because GDPR applies not just to organisations operating within the EU. It applies to any organization that may be outside the EU, offering services or goods to enterprises and customers within the EU.
GDPR requires that organizations which handle the personal data of users must:
- Use techniques, such as anonymization of collected data, to protect the privacy of users.
- Design their information systems with focus on privacy.
- Either take consent from the user for processing of their data or have other legitimate purposes for processing the data.
- Report any breaches in terms of data privacy.
- Appoint a data protection officer (DPO) if the organization’s core activities involve personal data handling.
- Clearly disclose data collection, its purpose, how long the data will be retained, and whether the data is being shared with third parties.
What is the Cost of Non-Compliance?
The fine amount depends on how severe the privacy breach is. It also depends on the amount of effort the company has taken to adhere to compliance requirements and regulations.
Organizations that are found to have violated GDPR could be fined up to €20 million or up to 4% of the annual turnover of the previous financial year in the case of an enterprise, based on what is higher. This is a figure that could run into billions of euros for large organizations.
The highest fine of €20 million or 4% of worldwide turnover is for organizations that have violated data protection rights, have not put data protection procedures in place, have transferred personal data across international borders without authorization, or have ignored the user’s requests for their data.
Examples of GDPR Data Breaches
In early 2018, the Facebook-Cambridge Analytica data breach occurred. The personal data of millions of Facebook users was used by Cambridge Analytica, without consent, for the purpose of political advertising. This was done through an app that was created by a Cambridge academic. The app used not just the personal data of users who responded to a questionnaire, but also the data of their friends. In response, Facebook issued an apology and testified in Congress.
Facebook also faces having to pay several billion dollars in fine for accidentally storing millions of user passwords in plain text for several years. During that period, more than 20,000 employees had direct access to those passwords. While there was no evidence of misuse, Ireland’s data protection commission (DPC), which is Facebook’s privacy regulator in Europe, announced that it would be investigating the matter and see if Facebook had breached the GDPR. If a violation was found, then Facebook would be looking at a fine amount of approximately $2.2 billion.
Just a week after GDPR came into effect, CNIL – the French data protection authority – received complaints about Google from two non-profit organizations. One non-profit claimed that Google forced Android mobile users to accept Google privacy policies and consent to the use of their data for advertising purposes. The other mentioned that the personal data of users was being illegally processed by Google for advertising.
Changes Since GDPR Was Introduced
Ever since the rollout of GDPR in 2018, there has been an impact on several organizations. According to Forrester, many organizations have seen a reduction of between 25% and 40% of their total addressable market since GDPR was enforced. They have also had to re-evaluate their data center strategy. For technology companies, this has been an opportunity to market the privacy features of their products.
The CEO of Apple, Tim Cook, has mentioned that the United States too would need an equivalent to GDPR. “”Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency,” said Cook.
GDPR has impacted policy making around the world. Several countries have signalled that they would be either modifying their privacy laws or introducing new legislation. This includes South Korea, Brazil, Japan, India, and other countries.