Ah, the famous Facebook-Cambridge Analytica scandal, where personal data of 87 million Facebook users was put at risk!
The US Senate made Mr. Zuckerberg jump through quite a few hoops, and a hullaballoo was raised by eminent netizens from Apple CEO Tim Cook to Hillary Clinton.
Though Facebook’s popularity didn’t change much, as per a joint Reuters/Ipsos study, it must be admitted that online privacy is vital in today’s digital age.
Nonetheless, General Data Protection Regulation (GDPR) enters the ring in May 2018, after lengthy contemplation on data protection reforms by the European Commission since 2012. The existing EU data rules, Data Protection Directive (DPD), seemed outdated as they were adopted way back in 1995 and aren’t really relevant with the present day.
What is GDPR anyway?
To put in simpler terms, it is a collection of rules that renders control of personal data into the hands of the data owners rather than big businesses.
Big data rules supreme today. From social networks to banking and financial institutions, personal data is being transacted everywhere—and that’s how our identity is made vulnerable every day to theft, misuse or even illegal unwarranted selling to third parties.
GDPR aims to bring in a regulatory and facilitated environment so businesses and consumers can safely utilize full benefits of the digital economy.
The essentials of GDPR
GDPR mainly strengthens the conditions of consent by data owners to business organizations. Or let’s say GDPR recognizes data subjects as the real owners and business organizations as tenants of their personal information.
Businesses will not be able to use vague or confusing statements to get personal data from a data owner. Full disclosure of the purpose and time period for which the personal data will be utilized needs to occur. Explicit permission — that’s the keyword here. Silence is not consent!
“If you have a page of different consent and say ‘by clicking here you consent to lots of things,’ that will be wrong. You need to be able to apply that consent individually,” Harry Small, a partner at law firm Baker & McKenzie, told CNBC by phone.
Data owners must also have the capability of withdrawing their consent promptly and without hassle.
If the data owner is a minor, parental permission needs to be provided.
Another GDPR rule states that companies must notify the data protection authority of any breach within 72 hours of becoming aware of it. Processing authorities should let the data owners of the breach as soon as possible after learning about the violation.
In general, consumers would have more control over their personal data, knowing where it is stored and how it is used.
And they would always have the option to be “forgotten” in the company’s database. This simply means the data owner’s personal data would be completely and irreversibly erased from the records of the processing authority. No question of its theft, misuse or illegal transfer to a third party!
Who does GDPR apply to?
The GDPR rules apply to every organization within the European Union and to other organizations outside the EU that conduct interactions with the residents within it.
Failure to comply with GDPR can result in fines ranging from 10 million Euros to 4 percent of a business’s worldwide turnover. The maximum fine of 20 million Euros is for serious data breaches—data rights violations, unauthorized international transfer, and failure to put procedures in place for or ignoring subject access requests for their data.
We are living in the digital age where we regularly exchange information about ourselves. However, that does not warrant lack of online privacy. Just like we have the expectation of the privacy of our personal lives in the real world, we should have the same expectation in the virtual world.
While GDPR might sound complex at first, it is inherently a simple and necessary step towards a more transparent and compliant digital community.