The May 25th deadline for the General Data Protection Regulations (GDPR) enforcement is looming. But what does that mean for companies outside the European Union that deal with data? The sobering reality is that the regulations apply to everyone who is collecting data from a citizen of the EU, in order to provide goods or services.
These regulations apply regardless of where the organization is located, or the data is stored or processed. That means virtually everyone who offers any service, that in any form, involves a server-side component is likely to be affected, and therefore must comply with the regulations.
But what exactly are in the 99 articles of the GDPR? What is the good, the bad and the truth about them?
The key elements of the new regulations are:
Consent: the end user whose data is collected (or in legal terms the ‘data subject’) must give explicit consent to both the collection and the processing of data. The position of the data subject is strengthened in such a way that the consent must be acquired in a clear manner and not buried in the fine print of license agreements or privacy statements. (the Principal of Transparency).
Ownership: the data subject retains ownership of personal data and can request that their data be deleted. (the Right To Be Forgotten). The data subject can also obtain the collected data for their own processing (the Right to Access), as well as make the data to be moved to other services (the Right to Data Portability).
Privacy by Design: requires that systems are designed from the ground up with privacy protection in mind and to minimize the amount of data collected, to only include the operational necessary data.
Breach Notification: the regulation regarding notifying the public within 72 hours of becoming aware of a data breach have been widened. They now include also notifying every individual data subject of the data that was leaked without undue delay.
The GDPR clearly strengthens the individual’s rights to their own data. These days, we regularly hear about leaked credit card information or social insurance numbers, therefore this is long overdue. Furthermore, considering that consensual data was allegedly used to manipulate elections, we can see that the public at large was mostly oblivious about the value and dangers of the data they freely share. Providing tools for individuals to manage their data, as well as enforcing transparency to encourage users to make informed decisions is a positive and necessary step.
In the GDPR, there exist some vague interpretations about personal data. Although examples are given that range from social media posts to IP addresses, what counts as personal identifiable data is not clearly defined. Evaluating the public interest in certain data vs. the rights of the individual without precedence is not easy. Organizations implementing procedures to follow the regulations are pretty much on their own and it is doubtful that there will be a consistent approach available by May 25th.
Penalties for not following the GDPR can be stiff. The effort required for small companies, where data processing is a mere side effect of their core operations, to comply with these regulations (i.e. a small manufacturer collecting data for CRM and billing purposes only) is huge. However, such companies could easily be bankrupted if the penalties for not following the regulations as intended are imposed on them. Large organizations with billions of users and market capitalization in the hundreds of billions of dollars will likely be able to fight drastic changes and penalties for many years. This is unfortunate since it seems the GDPR was formulated mostly with those organizations in mind.
The attempt to strengthen individuals’ rights to protect their data is an important and applaudable move. One can only hope that other countries follow suit and that similar regulations will eventually come to form the “Global Data Protection Rules”.
At CounterPath, we are committed to protecting the privacy of our users. For this reason, we encourage any and all new opportunities to do so. We have taken the appropriate measures to protect user data and have been implementing these practices for some time. To learn more about our GDPR policy, please visit: go.counterpath.com/privacy/gdpr.