In 2012, European authorities decided to work together to standardize personal data practices and privacy protection throughout Europe, rather than allowing every country to decide on individual standards. In 2016 the General Data Protection Regulation (GDPR) was finalized, and thereafter implemented May 25, 2018.
The GDPR governs how the data of people residing in the EU can be collected, stored, and used by individuals and organizations. It is a standardized data privacy and protection regulation that applies in all EU countries, and to companies within the EU. As of May 25, 2018, the GDPR went into effect, with companies around the world scrabbling to comply.
Goals of GDPR
The GDPR was intended to bring the EU’s laws up to par with a modern, internet-heavy world. It gives people more control over their personal data by:
- Establishing rules on how personal data should be used and managed by individuals and organizations.
- Giving more transparency to data practices and user consent.
Although these are the two main goals of the GDPR, it accomplishes much more with respect to data protection and transparency.
Who is Affected by the GDPR?
Every business and every person located in the EU. Individuals in the EU have more control of their personal information, while EU companies that collect personal information must collect, store, use, and manage the information in compliance with the GDPR.
Data collectors and processors are predominately affected by the GDPR. Organizations operating in the EU must comply fully with the GDPR to continue operating without penalties and restrictions.
Companies not located in an EU nation state are also coming into compliance with the GDPR, perhaps for fear of retribution. It has become, therefore, best practices to be GDPR compliant, if internet users located in the EU might visit your website and submit personal information.
In the United States, for example, there is no official ruling from authorities as to whether the GDPR will be enforced, or by what legal basis it could be enforced. But in many cases, companies are taking a better safe than sorry approach to complying with the GDPR, because the fines are severe.
What Data is Protected by the GDPR?
Personal information (data) is broadly defined by the GDPR. It includes a person’s name, address, photos, IP address, biometric data, genetic data, and other data that is directly linked to a specific individual or can identify a specific individual.
Data that is unrelated to individuals is generally not considered as protected.
What Are Data Collectors Responsible for?
The main responsibilities for companies collecting, storing, and managing personal information under the GDPR relates to how the data is collected and stored, while also allowing an individual control over how their information is used.
All personal data must be gathered and stored according to GDPR regulations, which are stricter than previous regulations. GDPR regulations seek to ensure that less data is lost or stolen by holding companies with the data responsible for protecting it from exploitation and misuse.
GDPR Compliance and Penalties
Companies that do not comply with the GDPR could face heavy fines up to 4% of annual global turnover or €20 Million (whichever is greater).
On May 25, 2018, the first day GDPR was in force, Google, Facebook, Instagram, and WhatsApp were hit with privacy complaints that could result in fines totaling $9.3 billion, according to CNET.
If you would like to learn more about the GDPR, read the specific rules and regulations on the official European Commission website.
The GDPR is changing internet regulations across Europe and the world. With the introduction of stricter data handling laws, greater responsibilities for data management, and harsher penalties for violating companies or individuals, the GDPR is set to change the way business is done everywhere.
For more information about what your company should do to become GDPR compliant, request a free consultation, or contact us direct.