Online data privacy is a sensitive subject. We all know we should be actively advocating for data privacy measures and paying more attention to how and where our information is being stored and used, but we don’t. With the General Data Protection Regulation (GDPR), the European Union is setting the global stage for the future of data privacy.
The GDPR is the EU’s second attempt at further protecting personal data of individuals residing in the EU. The original effort was the Data Protection Directive, which was adopted in 1995 to regulate the processing of personal data within the EU. The measures outlined in the Data Protection Directive include notice, purpose, consent, disclosure, and access of when data is being collected and how it’s used. Lacking in the accountability department, the directive was loosely followed in an “Opt-out of cookies, and here’s our terms and conditions” kind of way. The GDRP which shares the same mission as the Data Protection Directive will take effect on May 25, 2018 – this time with teeth to bite.
In order to ensure compliance this time around, the GDPR includes a hefty fine per occurrence of 4% of annual global turnover or 20 million euros (whichever is greater). While large corporations may be able to take a hit or two, one single incidence could put a small brand out of business. With designated Data Protection Officers (DPOs) for every region of the EU and private data privacy and mining companies, you can bet the headhunting will begin on May 25th.
There are two major working parts of the GDPR: collection and retention.
The main objective of the GDPR ordinance is to keep Internet users safe, a mission we can all get on board with. The measure focuses on the collection of data.
What data is collected?
why is it collected? (for what purpose)?
and how is it being used and shared?
The new element of the GDPR requires brands to receive consent from EU Internet users to collect and store their personal data. Instead of requiring an option for individuals to opt-out, companies need to get EU users to opt-in to data collection. This regulation includes anyone residing in the EU and EU economic zone, whether they permanently live there or are just temporarily traveling.
The second aspect of the GDPR is the retention of data. Data should only be kept as long as necessary for business usage. The time frames for what is considered appropriate business usage will vary between business departments. For example, marketing has a quick turnover so they may only need data for business users for a short period of time, while accounting is required to store data for extended periods of time.
With the recent Facebook/Cambridge Analytica data scandal, the topic of data retention is a particularly hot topic. To summarize what happened, data of 50 million Facebook users, collected from a quiz (without their permission) was sent to and used by Cambridge Analytica to target potential Trump voters in the 2016 election. Facebook asked Cambridge Analytica to delete the data but didn’t follow through with making sure it was actually done and it’s likely the data is still floating around out there. If you want to look on the bright side, a positive thing to come out of the scandal is that Internet users will be smarter and more aware of their online footprint.
This leads to the second element of data retention. With the GDPR, EU users can request their personal customer data history either be deleted or transferred, and the company in question has 30 days to comply. This section of the GDPR ordinance gives users the power to take control of their personal data.
The GDPR is going to change the way in which we do business online. Every industry and company will face unique challenges in finding the balance of doing what’s best for customers while keeping their private data safe, all while being in compliance with GDPR starting on May 25th.