Complex situation for GDPR compliance.
General Data Protection Regulation (GDPR) has gone into effect in the E.U. but questions remain as to what compliance actually means. GDPR is a European regulation that affects any organization that handles data on E.U. citizens or businesses. This means any entity in the U.S. is subject to enforcement actions like fines, if they do business with any E.U. citizen. It may be an E.U. law, but has a global impact. While U.S. consumers aren't protected by the regulation when it comes to non-E.U. companies, the law could either cause similar regulations or create an environment where industry voluntarily implements GDPR like protections in response to consumer demand.
GDPR is considered the most comprehensive regulation on the protection of personal data in the world, with a set of requirements that promise to cause a number of debates globally. It's about privacy, cybersecurity, the role of technology and technology companies, the value of innovation and, the future of the transatlantic economy. It's also a widely known that many companies aren't ready for the regulation. GDPR contains a series of articles that lay out a complex set of requirements for those handling E.U. citizen data. What compliance actually looks like in real terms is another issue all together. There are several areas of uncertainty that will only play out and become clarified over time. GDPR applies to any organization that collects data about E.U. residents, whether or not that organization has a physical presence in the E.U.. This including American companies. While Europe has had data privacy frameworks in place since the mid-1990s, GDPR changes things first and foremost by applying to data collected about E.U. residents by organizations located anywhere in the world for the first time, leaving many companies outside the E.U. scrambling to overhaul their processes.
Facebook has taken several steps in an attempt to give people more control over their privacy and explain how it uses data. People are asked to choose whether they want Facebook to use data from partners to show them ads. They can also choose if they want Facebook to use political, religious and relationship information on profiles to target ads and content, among other things. In many cases, U.S. consumers win too. Some companies are overhauling their processes across the board, so even though the changes are targeted to E.U. residents, U.S. users will benefit from a halo effect. Enforcement promise to be a financial deterrent. Violations can incur fines of up to 4 percent of global turnover or 20 million Euros, whichever is greater.
Many firms around the world are thinking strategically about their relationship with the personal data they collect on their users, including information gathered from websites, account registrations, social media, advertising efforts, marketing efforts, newsletters, list rentals, data brokerages, public sources of information and more. For U.S. companies, this presents an operational challenge and an institutional one. The E.U. definition of personal data is far broader than what is typical in the United States. Under GDPR, consent must be obtained before any data is collected, let alone kept or used for follow-on purposes, such as targeted advertising. This changes the way an American company, such as Google's subsidiary DoubleClick, profiles and targets ads to internet users in the E.U..
The legislation contains a number of specific data-handling requirements that will be new for the thousands of U.S. based companies that will need to comply with the GDPR thanks to having E.U. customers or partners. GDPR specifies how consent must be obtained. This includes requiring transparency in privacy policies without legalese. The information related to data processing should be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Companies also have to implement privacy by design, which means that they are required to only collect data that fulfills the functions of their business. GDPR demands companies implement measures such as data minimization, which means only asking for what one needs, and for a specific use and timeline. Keeping personal information indefinitely, or maintaining databases of information that doesn't have an immediate use, is prohibited.
Data masking is another new requirement, similar to the anonymized data sets used today to protect individual privacy while allowing insights on demographics across large data sets. GDPR enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers, or pseudonyms. GDPR also adds a data-breach notification requirement that mandates notification to authorities of an incident within 72 hours of its discovery. This is a marked departure from U.S. practices, which are determined on a state-by-state basis. GDPR also gives E.U. individuals data service rights that affected American companies will have to comply with, including the right to receive records of data processing. E.U. citizens can ask to get information on what personal data is being collected and for what purpose. For now, an E.U. data subject will need to file a subject access request or SAR by email, fax or letter asking for their personal data. Companies now have to respond within one month of receiving the request even if the company is note based in the E.U..