It’s a year and a half since the General Data Protection Regulation (GDPR) was enforced in the European Union. The main goal of the regulation was to give individuals greater privacy, clarity and control over how their data is used by online businesses, organizations and third parties. Under GDPR, companies must now give much more information on how they use and retain individuals’ data – whether it’s on websites, employment contracts, or online forms.
In this article we discuss exactly what GDPR is, what it means to the regular person, and the ways in which it’s been implemented since its enforcement last year.
What Is GDPR?
The idea of GDPR is to make EU laws relating to online privacy and data protection better-suited to the complexities of the online era. Many of the biggest online businesses rely on the steady stream of personal data we give away every day we’re on the Internet – from our cookies to Google searches to details that we enter into online surveys or other forms.
The big business of the internet is pretty much fuelled by our data, and the idea of GDPR is to give us some more clarity and control over how it’s used, as well as force companies to be more responsible over what data they procure from us and how they use it.
This sounds good, but what exactly does it mean? Here are the key points concerning GDPR:
- An individual’s, or “data subject’s,” personal data can only be processed if one of several “lawful purposes” are met. These include the individual giving their consent to process data, performing tasks in the public interest, protecting the vital interests of other individuals, or several other such “purposes.”
- Subjects need to give their consent for data processing (hence, all those GDPR notices that started appearing on websites everywhere).
- GDPR monitors companies, demanding that “appropriate technical and organizational measures” are taken to minimize risk of data abuse or breach.
- Data security incidents that pose a threat to the “rights and freedoms” of data subjects must be reported to higher authorities within 72 hours.
- Data collected from subjects gets anonymized for privacy protection.
- The “right to be forgotten” allows users the ability to request that their data be erased from a database entirely. The user also has the right to ask the website to no longer process their data if they do not want it erased entirely. If a company has shared a user’s data with other parties, they all need to be notified about any erasures, corrections, or restrictions. The user must have the right for all their data processing to be halted from all parties
- Data-handlers, made up of “controllers” (people and bodies who “determine the purposes and means of processing personal data”) and “processors” (people or bodies that process data on the controller’s behalf), are accountable for data being mishandled and can be fined if they’re found not to comply with the GDPR data-handling regulations.
All of these rights come with complementary obligations enforced on companies, and they could face severe consequences if they do not comply. The amount of detail put into this piece of legislation makes it perhaps one of the largest digital data privacy protection laws in the world.
What Effects Is GDPR Having?
The EU has not been messing around in enforcing GDPR and cracking down on companies that it believes to have fallen afoul of its regulations. The most high-profile GDPR case currently involves WhatsApp and the Irish Data Protection Commission, which has raised concerns over whether WhatsApp sufficiently informs its users about how it processes their data.
Right now the draft decision on the fine WhatsApp is expected to pay has been pushed back to 2020 after WhatsApp’s lawyers had a procedural complaint accepted.
Back in January 2019, the CNIL, France’s data protection watchdog, fined Google $57 million for breaching GDPR laws, accusing the search engine of a lack of transparency and clarity in how it handles personal data and also for not obtaining proper consent when showing users personalised ads.
In November 2019, the UK’s data protection agency issued warnings to ad tech companies over the processing of sensitive data and the contracts used to share data between vendors.
In November, Microsoft amended the privacy policies on its cloud contracts after an investigation from the European Data Protection Supervisor (EDPS) raised concerns that its contracts and its role as a data processor for EU institutions wasn’t compliant with GDPR.
As you can see, the GDPR has caused a lot of privacy-related conflict between online businesses and the European Union. While companies are showing a willingness to abide by the GDPR’s stipulations, it’s clear that many of them have a long way to go before they’re fully compliant, and we’re likely to see the fines and warnings coming in thick and fast as companies are forced to adapt to the dramatically overhauled laws surrounding online privacy in the EU.