Whether you hung on every word of Mark Zuckerberg’s congressional hearing, or you routinely click “share” without a second thought, you can’t help but be aware that data collection has become a hotly contested issue worldwide. Enter the GDPR —or, the General Data Protection Regulation—a regulation implemented by the European Union that is poised to replace the Data Protection Act of 1998 later this month. So, what exactly does this legislation encompass, and how will it affect both your business and your browsing habits? Read on to learn more.
Obviously, technology has radically changed since 1998, leaving data protection legislation in need of a major update. The GDPR seeks to redress oversights and gaps in current laws, offering consumers more control over the ways that organizations collect and use their data while also heightening protection against data breaches. This directive will also streamline data protection laws, requiring that corporations in the EU (as well as their foreign partners) comply with a set of predetermined, standardized regulations.
The need for this kind of comprehensive data protection legislation has come sharply into focus after a series of high profile data breaches (including LinkedIn and Yahoo). Most recently, Facebook’s Cambridge Analytica scandal forced officials to confront the vulnerability of users’ personal data on social media. GDPR seeks to prevent future instances of “data hijacking” by safeguarding consumers’ data from being collected and distributed without their knowledge or consent. Moreover, by implementing the same laws throughout the EU and abroad, the GDPR aims to establish a clear, universal set of rules. Failure to comply with this legislation will be costly. Companies that fall short of meeting the GDPR regulations will be subject to penalties and fines up to 4% of their annual global turnover. Over time, however, founders of the GDPR anticipate that this legislation will actually save corporations money as they develop better security measures to prevent data breaches and as the global legal environment becomes a simpler place to navigate.
The GDPR will take effect on May 25, 2018. Organizations outside of the EU will need to comply as well—any company that handles (or hires another firm to handle) EU citizens’ data must adhere to the GDPR or face the same steep fines as European corporations.
What will companies need to do to comply with GDPR regulations? To begin with, all organizations will need to acquire “active, affirmative consent” from their consumers before collecting their personal data. The key words in this phrase are “active” and “affirmative”—assuming that users agree to data collection if they don’t take separate steps to “opt out” will no longer cut it. Companies must also now track when and how users offer their consent for data collection and make opting out easy and accessible at all times. Along the same lines, the GDPR stipulates that privacy policies must be written in clear, accessible language – no “legalise” or jargon allowed. Consumers must be able to learn what data is being collected and how it is being used in plain terms.
There are a few more ways that the GDPR will give consumers more control over their data. For example, the GDPR grants users “the right to be forgotten,” meaning that they can request that a company delete their personal data at any time. Moreover, the company must also take reasonable action to delete this data from any other places it might have been forwarded or stored (ie. Google). Secondly, customers will have the “right to data portability,” meaning that they can move their data to another controller; once such a request is made, the current controller must carry out this action within four weeks. Finally, in the event of a data breach, consumers must be notified within 72 hours. The GDPR includes steep penalties for organizations that fail to protect their clients’ data against such breaches, so expect to see heightened security measures (such as two-step verification systems) take effect within the next month or so.
You may be asking yourself—but, what about Brexit? Isn’t the UK leaving the EU soon anyway? The answer is yes, but the UK will implement a Data Protection Bill offering provisions identical to those in the GDPR. Moreover, because most UK companies (like US companies) conduct business with European companies and track the data of EU citizens, they will be required to adhere to the GDPR regulations regardless.
For one thing, start early. Experts advise a total review of privacy policies, specifically data protection rules related to consent. Companies that carry out large-scale data collection (typically, those with 250+ employees) may need to hire a data protection officer to ensure that their practices adhere to GDPR requirements and to supervise the company’s ongoing compliance. (Want more details? This article provides an in-depth look at all of the GDPR’s requirements. You might also skim the Information Commissioner’s official guide to preparing for GDPR).
Essentially, all online advertisers will face stricter regulations surrounding the ways that they control and store data. Because users will need to give their “active consent” to tracking, targeting customers will become more arduous. Thus, travel companies and advertisers will need to develop creative ways of getting their users’ attention and securing their active consent (perhaps through rewards programs and other kinds of incentives).
However, although there will certainly be a bit a learning curve as advertisers adjust to these new regulations, industry experts anticipate that ultimately the GDPR will lead to more effective, efficient marketing strategies. Daniel Gilbert of Econsultancy, for instance, asserts that the GDPR will have “a positive impact on the quality of the data used for targeting, the relevance of ads, and the attitude towards those ads on behalf of the customer.” And as customers secure more control over their data, they will be more willing to share accurate information with advertisers when it aligns with their interests, creating a more transparent, mutually beneficial relationship between customer and companies.
At Koddi, we view this new legislation as a positive step towards protecting our customers’ rights. We will continue to implement the highest levels of security and data privacy, and we will make it easy for our users to access, move, or delete their data as they see fit. For more information, email us at email@example.com.