The European Union, since 2012, has been developing major reform of data protection for individuals living in member states. The four-year process resulted in the introduction of the General Data Protection Regulation (GDPR) in April 2016.
The GDPR replaces the Privacy Shield and Data Protection Directive and came into effect on May 25, 2018. There’s a new dynamic between entities who collect data and people whose data they collect. Control is now in the hands of EU citizens.
Knowing about the provisions of the GDPR is crucial to protecting your company from heavy fines for non-compliance.
While the regulations concern the data of EU residents, they’ve also raised the bar significantly for gathering personal data globally, thereby having an impact well beyond the EU. The GDPR demands that data owners provide express permission for data-collection. But wait. There’s more.
Data owners may request to see all data collected on them to verify their consent to its use.
This is some of the most stringent control of personal data ever legislated and it affects companies everywhere who collect data from EU sources. For one, this means that the way ads are targeted will change markedly.
And penalties for non-compliance signal just how serious the EU is. Those penalties may reach a maximum of 4% of a company’s turnover, globally, or the equivalent of $20 million USD.
What It All Means
The express consent of data owners is one way in which online interactions will change under the GDPR. There will be much more content ensuring people are genuinely engaged and ready to surrender data. “Click to continue”, for example, will be ubiquitous.
Companies will now be compelled to retool their methods in terms of advertising – most importantly, but also in terms of logins and analytics, as the GDPR also sets out rules for data sharing.
Secondary ad-targeting partners are now forced into a position of enhanced transparency, with data owners able to see what data has been collected. And it’s at this secondary level where things get messy.
These formerly invisible data-gatherers must now become visible and re-write all existing contracts to conform to the GDPR. While there are still questions around enforcement and the reach of liability in the event of a data breach by a sharing partner, there’s no question that the GDPR is going be costly.
Moments like these tend to separate the wheat from the chaff. Due to the penalties involved, companies will most likely move to using fewer data-sharing partners. That’s great for the privacy of EU residents, but it’s clear it will also result in the atrophy of smaller entities unable to meet the challenge.
A single standard for privacy (whether EU or not) is what most US companies prefer, so they have adapted existing policies to the GDPR. Others may choose to segment off EU data entirely, which would lead to a type of two-tiered internet arrangement in which EU residents live on a different internet planet.
Need GDPR support? Contact us.