If you live in the EU and are concerned about privacy or your data being exploited, mark the date 25 May 2018 in your diary. You can bet that many corporate executives of digitally-inclined companies based in Europe have circled that date, along with those whose companies operate in Europe. On that day, the European Union’s General Data Protection Regulation (GDPR) goes into effect. This is not just some innocuous directive which can be flouted or circumvented. It will be the law, and it's already causing many corporate executives sleepless nights.
More than just strengthening and rationalizing data protection for individuals within the EU, the GDPR applies to the export of personal data to locales outside the bloc. At first glance, it seems harmless enough. Its goal is to give control back to EU residents over their personal data and to simplify the regulatory environment for international business by unifying regulation. Unlike a directive, which allows each country to apply it according to its own precepts, it is a law that countries within the EU must apply uniformly.
On one hand, it could simplify things for companies. It may even save them money, as they won't have to deal with data protection issues in different jurisdictions. Instead, businesses will be able to obtain a service “passport” for the entire region, much as financial services firms can. On the other hand, the scope of the regulation could have surprising consequences for some companies, particularly those that don’t reside in the EU but process the data of EU citizens. These companies may be in for a surprise - and a massive headache - with huge financial implications attached.
Non-adherence to the GDPR could result in fines of up to €20m and/or 4% of a company's global turnover. Ouch. Also, the regulation will grant important new rights to citizens over the use of their personal information. They will have the right, for example, to contest and fight decisions that have been made about them by algorithms processing their data. Companies will have to obtain explicit and valid consent in order to collect data, along with the uses to which that data will be put.
Consent is bound to be a thorny issue. There are outfits that currently operate outside the reach of data protection laws. The hidden crowd of data-hucksters, trackers, data-auctioneers and ad-targeting firms falls into this category. There will be problems for those that operate behind the facade of websites, social media, and Google. For them, the GDPR represents an especially existential threat. Unlike Facebook and Google, which have user consent, the data-broking bunch does not.
It could be earth-shattering for such companies to have to gain the appropriate consents. From May 2018, all the invisible tracking of internet users will have to be more visible. Tracking software will have to pop up and make itself known in order to seek express permission from users. Users are likely to find this annoying at best. Many will no doubt complain (thus invoking the harsh penalties for the companies concerned), or simply not use the services and thus bankrupt the data-brokers.
Even if companies such as these avoid prosecution and penalties, they will still face pressure from citizens with the newly legalized right to request the deletion of personal information relating to them. The burden will fall on the companies to prove that the data has been expunged - not an easy undertaking by any means.
Oh, and if you’re a company that operates in the UK, and chuckling because the impending Brexit may exempt you, think again. The GDPR will apply in the UK despite Brexit.
It will be interesting to see how this all shakes out. For now, the GDPR appears to be a victory for consumers and privacy lovers. Stay tuned to developments on this front.
Image Credit: Wetzkaz Graphics/shutterstock.com