The landmark regulation changed everyone’s mindset on how companies worldwide collect and use the personal data of EU citizens.
It was May 25th, 2018 and it turned out to be a day of chaos in the offices of many companies in (and also outside) the EU.
In the run-up to that day, the companies had sent out countless emails to their clients and customers, asking them for consent with receiving their newsletters, something they had never really asked for prior to this day. At the same time, many businesses without dedicated personnel had been trying to figure out what kinds of data they actually held on their costumers and how to organise and safeguard it going forward.
But what was this landmark event?
On that day, the General Data Protection Regulation, or GDPR, came into effect, dramatically changing everyone’s mindset on the use of personal data by both EU- and non-EU-based companies that collect, process and store the data of EU citizens.
Four years on, consumers in Europe already expect companies to comply with this regulation when clicking the “Accept” or “Agree” button on their sites’ terms and conditions (which, let’s face it, hardly anyone ever reads), as well as assume that regulatory authorities monitor the application of the regulation.
So what were the main changes?
Before GDPR, no one could really know what kinds of customer data companies were holding. Was Facebook just keeping our name and phone number or email? Was Google keeping a record of our searches? What does Netflix know about us from the content we watch? And how were these companies using this knowledge?
1. To answer these questions, GDPR is applicable to a wide array of data collected:
2. Companies need to respect citizens’ eight rights:
3. It has a global impact
One would guess this regulation was a drastic change just for EU-based companies, but its effects go much further. GDPR is applicable to all businesses that offer goods or services in the EU or that process the data of any citizen in the EU. By the same token, EU citizens’ data can only be exported to (and used by) countries with similar privacy regulations.
Being one of the three largest economies in the world, the EU drives investment from all corners, setting GDPR as a minimum standard requirement to operate in any of the 27 member states. It is not surprising that all over the world, data protection regulators have been adopting national legislation in an effort to harmonise the set of rules companies should comply with.
This is the case in Canada, Argentina, Brazil, Uruguay, Japan, New Zealand and more recently, South Korea. In fact, Canada’s PIPEDA has been in place since 2001, having lent much of its spirit to the EU law regarding establishing accountability as a fundamental legislative principle, but with one essential difference: Contrary to the Canadian law, GDPR applies not only to commercial actors, but also to government entities.
In the US, however, the landscape is somewhat more diverse. On a federal level, different laws regulate targeted areas, such as HIPAA for health, FCRA for credit ratings, FERPA concerning education, GLBA for loans and investment data, ECPA on monitoring communications, COPPA limiting the processing of data belonging to children under 13, VPPA for VHS rental records or the FTC Act that makes sure companies comply with their own privacy rules. Only five states have adopted comprehensive privacy laws that are either in effect or will become effective next year: California (CCPA and its upcoming ‘update’ known by the acronym CPRA), Colorado (ColoPa), Virginia (VCDPA), Connecticut (CTDPA) and Utah (UCPA).
4. If there’s a data breach, it must be reported no later than 72 hours after discovery
One of the biggest novelties introduced by GDPR was the obligation for companies to report a data breach within just three days after becoming aware of it. In comparison, up until now, the US’ strictest timeline for reporting breaches was 30 days.
This requirement prompted companies to have proactive plans to address data breaches, contrary to the temptation to take just too long to do it and try to avoid a PR crisis. In a time when such incidents are commonplace, citizens need to know that their data might be compromised so they can take action.
5. If some of these rules are not applied, there are fines
It is certainly not just empty words with no meaningful consequences. GDPR is being enforced and as of May 23rd, 2022, GDPR violations have resulted in 1,093 fines worth a total of €1.63 billion (US$1.74 billion) And arguably the biggest “actions” have been news around the world, impacting the work of Big Tech.
Other well-known companies such as clothes brand H&M, British Airways and even the Dutch Tax and Customs Administration have been fined and had to adapt their data protection mechanisms.
You are in control of your data
This is one of the most common messages sent out by many companies these days. These statements both make you feel empowered and show companies comply with data and privacy rules.
GDPR was certainly an important first step toward ensuring our data is secure. But the mere existence of this regulation should not make us stop questioning why this data collection is needed. Why do companies need to know so much about what we do, where we go or how we dress? And what alternatives are there when we don’t consent to the use of a specific part of our data? Can we find alternative services?
Moreover, if so many services and apps don’t mind giving us access to them for free in exchange for our details, then what is the real value of our data that can exceed revenues based on subscription fees? This is certainly a conversation we will all need to have sooner rather than later.
By André Lameiras, Security Writer at ESET