So, what is this “GDPR” thing, anyway?
Since going live in mid-2018, there was no shortage of media coverage that included news stories, blogs, and memes about the fact the EU General Data Protection Regulation (GDPR) took effect from May 25 of that year and most, if not all of us, have been fed a steady diet of updates.
Pop-ups, emails, boxes to check, buttons to click, and any other method of getting the news out about the change have taken over our digital displays. Equally as common is the confusion, uncertainty, and even a hint of fear. What do we need to know?
Depending on your perspective, you’re informed or oblivious or, like most of us, somewhere in the murky middle ground. Some organisations are using GDPR as a call to arms. Some are using it as a sales tool to sell products and services, most of which are helpful but not a silver bullet by any means. Many are simply thinking that this is yet another “European thing” that doesn’t apply to them. Even more are asking the question, “Are You GDPR Ready?” without even knowing the answer themselves but it’s probably safe to say, “No, we’re not ready.”
While it sounds like old news, like many aspects of technology, we are behind the curve. And for those of you clinging onto Windows XP and Windows 7, I’m looking at you.
Who does the GDPR apply to?
Let’s see. There is Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, (and I’m really not sure about the United Kingdom since Brexit) for starters. Oh yes. I nearly forgot. THE REST OF THE WORLD!
You’re asking what do I, as a lowly blogger in Australia, need to concern myself with when it comes to the GDPR? Even if I was on the other side of the planet in the Americas, I would still need to be concerned or, at the very least, aware. For example, the contact form on this website asks for your email address, your name, and some notes which very wall may fall under the GDPR if it concerns someone from the EU and considering I have global readers, it’s a very real possibility. I may have the personal data, even if just a name and email address, of an EU resident.
There are a few things I have learned along the way which I will endeavour to share with you. Bear in mind that laws, regulations, and their applicability are ever-evolving.
- The GDPR grants the European Union (EU) powers to hold organizations and businesses accountable for how they collect, process, and store personal data which could be YOUR data. It’s not like this came out of the blue and blindsided anyone; businesses and organizations had a two-year heads-up. It was on the cards since May of 2016 and while there was lots of time to prepare, there is little time left for excuses. Here we are nearly three years later and still lagging behind.
- The GDPR is European, yes, but it impacts the whole world. Yes, all of it. Funnily enough, the most common, yet misleading, statements I have heard from individuals outside of the EU come from thinking it doesn’t apply to them. The laws of a sovereign nation don’t apply abroad, right? Sure, there are probably exemptions, as with anything else, but there is this thing called a “territorial scope” which means any organization that deals with data of EU residents must comply with the GDPR.
- Is a business too big for the law to apply? Too global? Too powerful? Organisations such as Apple and Facebook, for example, must comply. Yes, the regulation might have some wiggle-room, but some organisations, though not strictly required, are taking an approach that provides similar controls and protections to non-EU residents. It’s our / their personal data so it must be protected. It’s a good thing, after all, so why not use it?
- “Fine, I get it”, you might say, but why did we get hammered by emails, text messages, and pop-ups every time we went online, logged into a site, or opened an app on our mobiles? Well, some of it was due to the ongoing fallout from the Cambridge Analytica scandal, but most of it’s because organizations were getting their ducks in a row to achieve GDPR compliance. If you’re like me and have apps, services, and accounts you have forgotten about, this is a great way to be reminded to clean them up. Reducing your cyber footprint can only be a good thing, right? For what it’s worth, some of those ducks have waddled off in search of bread since, so the work is ongoing.
- We’d agree that organisations that have been around for a while need to catch up, but once we achieve compliance, what is the way forward? Organizations collecting, using, and storing your personal data must consider privacy throughout the whole lifecycle of their products and services. No more keeping “the security people” in the dark and adopting the mentality of “act first and seek forgiveness later”. From the moment a product or service is conceived, privacy must be first and foremost in everyone’s mind.
- While on the topic of new products, it also means that default product and service settings will be skewed in favour of privacy by default (to comply with the GDPR), and then you may choose to change or disable them as you wish. Kind of the “closed to open” approach where you must turn things on instead of off when you get something new.
- Paperwork! Fine print! Miles of text! I can’t be bothered reading all of it! Why am I using so many exclamation points? Who among us had read product and service policies and Terms of Service (ToS) end to end and understood them? Show of hands? Anyone? I thought so. These must be easier to understand. The GDPR states data policies must be written in plain language so you can understand with greater clarity what you’re consenting to. No more devil in the details. No more signing away your soul. We would likely all agree that in the past that the verbosity and ambiguity of these epic texts has been more than even the most patient among us can stand. This should now be a thing of the past — or at least headed that way. Then again, every time I read the ToS of a new app, I think we have not progressed much. Sigh.
- It’s my data! MINE! ALL MINE! Well, thankfully, the GDPR gives you the right to take your data with you to another service when you choose to. The principle of “data portability” means you have visibility of your data that an organization has collected about you, you can move that data to a different service provider (yay for the competitive marketplace!) This can be done without losing the data history you’ve built up and you are closer to becoming the guardian and beneficiary of your own data. There is a lot to be worked out in this regard but stay tuned and keep watching. It’s your show after all!
- One of my favourite parts of the GDPR is the right to be forgotten. No, I’m not talking about people that delete and block you on social media (although we all know that happens). Painfully awkward social interaction aside, since you own the right to your data, you also have the right to request its erasure. Delete! It will take a while to purge from the systems in question, but few organisations have the space or desire to retain data, nor the appetite for some hefty penalties for non-compliance.
- In Australia, the Notifiable Data Breaches (NDB) Scheme gives organisations up to a maximum of 30 days to report a breach. In the EU, time is not on your side: the GDPR has a “72-hour rule” meaning that data controllers must report a breach to their supervisory authority within three days after becoming aware of it. By extension, a benefit is learning of breaches sooner when there are potentially significant risks to you and your data. I don’t know about you, but I like this timeline a lot better. The less time my data is in the wild unbeknownst to me, the better!
- Don’t care? You better have deep pockets. VERY deep pockets! No more “slaps on the wrist” where the penalties were easier to pay than the cost of compliance. The top end of town with the billion-dollar turnovers got away with the most egregious offences all the time. Not anymore as organizations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). That scares me. Ready to comply yet? One example I read used Google, who made $162 billion in 2019 (up 18% year on year). A significant violation (what constitutes significant is subjective) against the GDPR could end up being a $7.13 billion fine. Oooof!
- While this is great for individuals, it’s also great for businesses. Storing personal data is not risk-free and improved data and cybersecurity practices decrease risks for not just individuals, but also for businesses. Think this is insignificant? Ask any organisation who has lost big because of a data breach. The balance sheet does not show the intangibles like loss of trust and public relations disasters. Your reputation in business is priceless.
- In my world, many I speak with admit (with some coaxing, of course), that visibility is lacking. Some organizations don’t know what data they have, where it’s being stored, and how it’s being used. The GDPR encourages organizations to think twice about how much data they collect and what type they do. They also must justify their reasons for collecting it. The GDPR represents an opportunity for businesses to lead regarding data collection by choosing to collect only what is necessary to provide a product or service, rather than just gathering information “just in case” they “might” need it one day for something still to be determined.
This is just the beginning; not the endgame. The GDPR provides a baseline set of rules that provide a roadmap to more ethical approaches to data collection, retention, and processing. It’s a step forward, but the devil will still be in the details for most businesses, although now perhaps a bit more manageable. New controls, even if they “technically” comply with the GDPR for privacy, won’t help if they are too cumbersome and if organizations won’t comply with the underpinning principles that drove this regulation. Old habits can be hard to break.
Still, we’re fans of the fact it encourages a growing culture of responsible privacy, giving individuals the rights, controls, and choices of how their data is used. GDPR: Don’t fear it; embrace it.
Stay safe out there.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock.
Originally published at https://www.linkedin.com.