If you’re like me and have an email address, it’s pretty likely that your inbox has been overflowing with emails saying “We’ve Updated Our Privacy Policy.” What are these emails and why is the entire internet suddenly changing their privacy rules? The answer actually comes from Europe.
What is EU General Data Protection Regulation?
The European Union’s General Data Protection Regulation (GDPR) is a set of rules that became law on May 25, 2018. These rules had been passed in 2016, but a two-year period was given to allow companies time to comply.
What does the GDPR do?
The short version is that the GDPR is meant to protect the privacy of European Citizens by controlling how companies use data collected from their users. The GDPR does this through several new rules.
Companies who fail to comply with the new rules are subject to fines of €20 million, or 4% of gross annual revenues, whichever is greater.
Consent
The GDPR strengthens rules on how companies must receive consent from users to collect and use data. Users must opt-in to the collection of data, and being opted-in may not be a default setting. Policies for how collected data will be used must be written in a way that is understandable to the average person, rather than written in long drawn out legalese.
Notification of Breaches
The GDPR requires that a company notify its users within 72 hours of any security breach where there is a risk that personal information was accessed. In any breach, users must be notified “without undue delay.”
Right to Access
A user must have access to all data pertaining to them collected by a company.
Right to be Forgotten
A user has the right to request that a company delete all data pertaining to them.
Data Portability
A user has the right to obtain the data pertaining to them in a format that is easily machine-readable and in common use and to take that data to another company.
Data Protection Officers
Companies must have a person in charge of implementing the rules who reports directly to the highest level of leadership in the company and who has no other job in the company which would cause a conflict of interest with their duties regarding private data.
I’m From America, Why Should I Care?
Many of us aren’t even from Europe, why are we getting these emails about a new rule in the European Union? The internet has given companies global reach, and it is cheaper for a company to have one rule covering how data is handled than to try and sort out who is and isn’t from Europe. This is especially true when the penalty for mishandling a user’s information could cost the company €20 million.
Is My Business Affected?
As mentioned before, many 21st Century businesses have a global reach. Do you run an e-commerce site which services customers in Europe? Are you hoping to grow your business to the point where you have customers in Europe? Fill out the Contact Form if you have questions about whether you might have issues under the GDPR.
Leave a Reply