What You Need to Know About the EU’s General Data Protection Regulation (GDPR)

With every day that passes, major organizations that exist primarily on the Internet collect massive amounts of data from people to sell off to advertisers and other entities that could make use of it to cater their offers to them. Whether you believe this is nefarious, misguided, or simply a sign of the changing times, we can all agree that the phenomenon of data collection has reached heights we have not witnessed at any point in history.

This has made many feel as if they are losing control of their own personal information, and some governments have begun discussing how they should intervene to help people regain that control. The EU, for example, established the General Data Protection Regulation (GDPR) which enters into force on May 25, 2018.

What GDPR Is and Isn’t


The European Commission has been struggling to keep all its ducks in a row for the past decade regarding data and privacy. The GDPR is an attempt to unify all of these laws into one single framework, making it easier for businesses to comply with them. The framework also adds a couple of new regulations that are largely meant to supersede the Data Protection Directive of 1995.

This upgrade resulted in a document of over 200 pages.

While the mission and purpose of the GDPR were laid out by the EC as a set of laws that aim to “give citizens back the control of their personal data,” that doesn’t mean that this is a cure-all for all the woes that “citizens of the internet” suffer.

On the other hand, GDPR does place a great amount of emphasis on consent. Websites that collect data are required to allow users the ability to opt into data collection practices.

To summarize everything in one neat sentence, the General Data Protection Regulation lays out obligations from operators in the EU and new rights for people who use their services.

The Rights Offered by GDPR

People who use services that enter under the GDPR’s scope are known as “data subjects” for reasons that should be obvious (e.g. you are the subject of a website that collects data on you). In Chapter 3 of the legislation we can clearly see all of the rights the document declares:

  • A company must make it clear to the user that their data will be collected and in what way it would be used. This communication must happen in writing or other appropriate means electronically. This is especially enforced where minor individuals are involved (article 12, 15).
  • If data collection takes place, the user has the right to know how to contact the company or its data protection officer. Legally, the user must have a way to contact the collector. The company collecting data must also make it possible to withdraw consent at any point in time (article 13, 21).
  • Even if data collection doesn’t take place, the user still has the right to the contact details specified above (article 14).
  • The user has the right to correct any inaccuracies in the data (article 16).
  • Article 17 brings the “right to be forgotten” to the GDPR, an old European concept that allows users the ability to request that their data be erased from a database entirely.
  • The user has the right to ask the website to no longer process their data if they do not want it erased entirely (article 18).
  • If a company has shared a user’s data with other parties, they all need to be notified about any erasures, corrections, or restrictions. The user must have the right for all their data processing to be halted from all parties (article 19).
  • The user has the right to ask for their data that has been collected (article 20).
  • Users have the right not to have decisions made on their treatment based on the data automatically collected from them (article 22).

All of these rights come with complementary obligations enforced on companies, and they could face severe consequences if they do not comply. The amount of detail put into this piece of legislation makes it perhaps one of the largest digital data privacy protection laws in the world.

What the GDPR Says About Data Breaches


There’s been a growing trend of major companies getting hit by breaches, losing a bunch of their customers’ data, and then failing to report the loss to the people affected. In November 2017 Uber was the subject of a scandal after it was revealed that it knew about a breach for over a year, swept it under the rug, and paid the hackers who were responsible to keep their mouths shut.

This kind of practice is now also addressed by the GDPR, giving companies seventy-two hours to report data breaches to authorities (recital 85), lest they endure a fine of 20 million Euros or 4% of their turnover.

This might help get rid of the trend of business executives hiding their breaches until it’s probably too late for their customers to take action to prevent being victimized further.

Companies are also required to encrypt their data in order to “render [it] unintelligible to any person who is not authorized to access it.” Granted, the vast majority of your data online is stowed in this manner, but it is still encouraging for some to see this encoded into law.

Are There Disadvantages to the GDPR?


The GDPR is arguably the boldest idea that the European Commission has passed in recent years, making massive changes to the relationships between service providers and their users. The rights provided by the legislation implies several infrastructure changes that some companies have to undergo, although the burden might not be as large as some critics are saying. To get a clearer perspective on how the GDPR might affect businesses, we have two sources: a report by the UK Information Commissioners Office and a survey performed by Ovum in 2015.

In the UK study we see that “the majority of businesses are unable to quantify their current spending in relation to data protection responsibilities.” This is very vague, but it’s safe to assume that the effects of the GDPR on businesses haven’t been properly assessed. This will be clearer through 2018 when the law has time to have an effect. The government agency that commissioned the study came to the conclusion that local governments could do more to help businesses get ready and provide support and training for their staff.

The Ovum report, titled “Data Privacy Laws: Cutting the Red Tape,” goes a little more in depth by providing a full analysis of how businesses perceive the changes. The company interviewed 366 global IT firms, more than 70% of which “expect to increase spending in order to meet data sovereignty requirements.” The picture is not all gloomy, however, as 53% of the businesses plan on using third-party technologies to assist them in maintaining data transparency.

In short, while GDPR will definitely have an impact on European businesses, it isn’t apparent whether or not this effect will be entirely negative.

After reading all this, do you think that the GDPR sufficiently protects the rights of web users? Or does this legislation need to go back to the drawing board? Tell us in a comment!