Like most Americans, you’ve probably been receiving what feels like an endless stream of emails as your favorite companies (or at least the ones you’ve forgotten to unsubscribe from) as they update their privacy policies to include the GDPR. But, what is the GDPR? When did it start? And—most importantly—how does it affect you? Here is an overview to help.
The General Data Protection Regulation, or GDPR, is a guideline within European Union law. It covers data protection and privacy for individuals within the EU. This piece of legislation was approved back in April 2016, but it didn’t officially start until April 2018. This was to give companies enough time to adjust and make sure they were compliant with the new law. The intent of this regulation is to give consumers control of personal data collected by different companies.
This law doesn’t just affect Europeans, though. It also applies to any company that offers goods or services to those living in countries that fall under EU law. This is a huge change from their previous law, which is why GDPR is already having a far-reaching influence. And, why we as Americans need to be informed about it.
When a company is asking for consent from a person to access and store their personal data, the request now needs to be easily understandable. This is quite different from before, when companies would hide this question inside long and confusing terms and conditions that no one understood or even read. Companies also can’t bundle consent for multiple things together. For children under 16, a person holding “parental responsibility” must opt in to data collection on their behalf. Most importantly, it must be just as easy to withdraw consent as it was to give consent.
Another rule states that it is mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The processor of the data will need to notify customers as soon as possible after learning of the breach.
Under GDPR, organizations that break the law can be fined up to 4% of annual global turnover or €20 million ($24.6 million), whichever is greater. Some of the biggest technology companies are making billions in turnover every year so this could be a big hit if they were to breach any rules. It is important to note these rules apply to both controllers and processors. This means that cloud-based platforms are not exempt from GDPR enforcement.
When it comes to user data, consumers now have more control over their own information. Users can access their own data and find out where and for what purpose it is being used. They also have the right to be forgotten. This means you can ask whoever is controlling your data to erase it and stop third parties from processing it. Another provision even allows people to take their data and transfer it to a different service provider.