What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is an EU law that is designed to protect personal data and privacy for citizens of the European Union. The law gives users control over how their data is used and collected by companies and businesses. The law mandates that data collection policies must be fully disclosed, and it must be stated how long the data is being kept and if it’s being shared with any third parties.
Companies or businesses that collect personal data on citizens are required to ensure that data is anonymized and that the information isn’t available to the public unless the individual gives consent. This has created more complicated work for telecom consulting firms.
Lastly, it’s stated the subject who shared his or her data can revoke their consent to share the data at any time and the company or business must comply with the request.
What the GDPR Means For Us
Although the law is an EU law, this policy has far-reaching implications, especially for businesses operating in the United States. Many US-based companies serve customers in the EU, and they need to adhere to the policies set forth by the new law.
While more and more companies are stepping up to provide better security and transparency with regards to users’ private information, there’s still a lot of work to be done.
Thanks to the directive, US-based companies that do business within the EU will now have to ensure user data is encrypted and protected in such a way to prevent unauthorized access or loss. Companies that fail to meet these standards face hefty fines. Also, companies must provide quick and detailed notifications if security is breached and user data is compromised.
Another area US businesses must beef up their handling of data is in how consent is handled. The new law stipulates that user consent to access their data must be clear and unambiguous. An example is in the case where someone signs up for a service and must uncheck and pre-checked box to opt out of data sharing; the law says this practice is no longer acceptable.
Companies must also comply with a user’s request to ‘forget’ them, or in other words, delete personal data. Any company that doesn’t have a mechanism for handling these requests will have to employ one if they hope to comply with the new law.
Where Are We Now?
We’re approximately 90 days out since the GDPR was passed, and in that time, companies have been quietly updating their privacy policies. Users may have noticed emails showing up from internet services and companies notifying them of their updated privacy and security policies. Many people have to log into their favorite web-based service or company to update their privacy settings and agree to new data collection terms.
Also, users signing up for new services are finding themselves having to jump through more hoops when it comes to sharing their data, and while this can be an inconvenience for some, the result should be more privacy and better protection of your data.
While these are the outward signs of what’s changing, most of the changes are going on behind the scenes. It’s not uncommon for companies like Google or Facebook to share information about their users with advertisers or other internet services. This new law dictates how companies can share your data once it’s been collected, which means companies will have to rethink how they deal with analytics and targeted ads and services. It’s not unheard of for a company to be dealing with many partners all of which want to target you with ads, deals, and services.
California legislators passed a data protection policy (California Consumer Privacy Act), which is similar to GDPR in June of 2018. It’s similar to the GDPR in that it seeks to inform consumers what personal information is being gathered by internet-based companies. Also, like the GDPR, California residents under this law have the right to know if these companies are sharing their personal information, and to whom. Lastly, the new law gives Californians the right to opt out of that sharing of information and to have full access to all information that has been collected on them.
Where this law differs is in the fact that the GDPR went into effect in May of 2018, the California law isn’t set to go into effect until January of 2020.
Where Do We Go From Here?
Thanks to the high profile Cambridge Analytica Scandal that embroiled Facebook and its CEO Mark Zuckerberg, the talk of data privacy and security is a higher priority for many people using internet-based services. While a lot of people are comfortable turning over their data for the sake of the convenience of getting personalized notifications or ads, plenty of other people are now wary of what information is being collected, how it’s being stored, and who has access.
The truth is that even though there are concerns, and laws have been passed, the path forward is unclear. Some countries recognize that personal data protection is a human right, while other countries aren’t prepared to go that far.
Here in the US, we have limited protections right now when it comes to particular kinds of data, such as our health data, but there’s nothing as comprehensive as the GDPR or the California Consumer Privacy Act that blankets the entire country.
Right now there is very little protection afforded to consumers when it comes to their data. Most internet companies still employ lengthy, hard to read terms of service and require users to opt out of data sharing rather than opt-in.
Members of Congress are beginning to craft and introduce legislation to better protect consumers’ data, but something as comprehensive as the GDPR is still a long way off.