Companies and websites across the globe have been updating their websites and privacy notices for months, even years, to prepare for the May 2018 enactment of the famed General Data Protection Regulation (GDPR). Although this law specifically protects citizens of the European Union (EU) and European Economic Area (EEA), it affects everywhere online that these citizens visit, essentially asking the whole world to catch up.
You’ve likely noticed an increase in emails about updated privacy policies and notifications on websites about data collection. Indeed, these are all in response to the GDPR.
So what is the GDPR exactly? And how does it relate to you, even if you’re not part of the EU or EEA? Read on to see why the GDPR is important for everyone.
Broadly, the GDPR serves to strengthen and unify data protection by requiring increased transparency and communications from organizations that collect or process personal data. Privacy of personal information is a fundamental right, and the GDPR intends on granting users (in the EU or EEA) more control over how their information is used or collected.
More specifically, organizations who collect or use personal data are required to have a legal reason for doing so. Gaining explicit consent from data owners before collecting their data is one way to make it legal, and is the most common approach companies and organizations are taking (accounting for all those notifications you’re getting on websites across the Internet).
For the vast majority of websites, information gathered from their visitors is used to enhance user experience on their website by remembering user preferences, allowing for easier page transition, referencing previous purchases, etc. In some instances, organizations collect and use data more thoroughly. The GDPR requires that either scenario be clearly (and simply) explained in updated privacy policies.
Organizations also must assume the highest privacy settings by default and provide access to privacy policies that are transparent about what your data is used for, how long it is retained, and who it is shared with. Data owners are also granted the right to revoke their consent to share date at any time, request that personal data of theirs be deleted, and to receive a portable copy of their personal data collected by a given organization.
Increasing data security is another large component of the GDPR, requiring data processing to be protective by design and by default. Data encryptions and methods of anonymizing data are necessary to achieve true data privacy, effectively unlinking any information from the user so that it is no longer a potential identifier. Additionally, organizations who process user data as a core element of their business are required to employ a Data Protections Officer (DPO) to oversee that all data processing is in accordance with these new regulations.
Data breaches are also handled more aggressively via the GDPR, requiring organizations to notify their supervising authority of the breach within 72 hours of discovery and, if adverse impact is determined, notify all potentially affected users.
In addition to these enhanced regulations for meeting the privacy challenges of the “Age of Information” are the increased penalties for non-compliance. Depending on the infringement, fines for violating the GDPR can get as high as 23 million dollars, or 4% of an organization’s annual global revenue, whichever is higher. Now you can see why so many companies and organizations have been eager to share their updated privacy policies with you. While coming into compliance with the GDPR can be an expensive process, it’s not nearly as expensive as noncompliance.
Although the GDPR specifically governs data from EU and EEA citizens, experts agree that similar legislation is to be expected across the world. In the wake of recent “data scandals” like the one we saw between Facebook and Cambridge Analytica, individual privacy and security is gaining increased attention. And since the Internet is largely a borderless terrain where people from all parts of the world travel, unifying data protection and privacy requirements across nations makes the job easier for everyone—businesses and regulators alike.
So even if you’re not an EU or EEA citizen, you don’t have to wait for your legislators to catch up. The GDPR has caused privacy policies to become clearer and more accessible while organizations make their data processing more secure and explicit. And while you might not yet have the authority to request your data to be deleted or sent over to you in a portable format, you can expect that similar rights are coming your way soon.
At AudiologyPlus, we value the enhanced protections the GDPR has initiated. Data security is something we’re deeply committed to, and as such, we’ve gone beyond the requirements of the GDPR to ensure that every website we’ve built (either for our own needs or for our clients) offers the most advanced data protection available. To learn more about the level of security our modern websites provide our clients, feel free to visit our Privacy Center or contact us directly.