Personal data, privacy and security issues have become more important and urgent than we thought since the Facebook/ Cambridge Analytica scandal. The European Union recently enacted a new law to protect data privacy called the General Data Protection Regulation (GDPR), which took effect among European Union member states on May 25.
The rule applies to a wide range of personal data, including personal names and government identity card numbers. In addition, it protects location information that shows people’s activities, as well as IP addresses, cookies and other data that allows companies to track users as they browse the Internet.
The GDPR marks the transformation of an era in where individuals have the skills and opportunities to choose how to manage and share personal data. The more openness about data means that any company with a digital presence in the European Union (currently still including the United Kingdom) must abide by the law or face hefty fines. Although for companies which are not prepared enough to respond to these changes, this may be a huge challenge. But there is no doubt that the law will change how companies around the world collect and process personal data.
Each country has a GDPR supervisor in place to allow residents complain to their authorities. Companies that violate the law face a fine of up to 20 million euros, which is equivalent to 4% of the company’s annual global revenue.
European data regulators said they would take compliance seriously. “Companies that have been making money from our data, have more responsibilities,” Vera Jourova, Europe’s top justice official, said on May 24. Privacy advocates are already preparing to indict Facebook, WhatsApp, Instagram and Google for violating the new rules.
In the future, data will work in much the same way as a calendar, and everyone chooses to invite specific people to share events and information with them. Therefore, ordinary citizens will have more control over the data they share with others, which may become the new normal after GDPR.
Businesses can still serve customers, send them emails, collect and store their data. They just need to ensure that they have a “legitimate basis” for doing so and respect the personal wishes of those who want to delete their data. If these companies cannot prove that they have correctly processed the data, do not report the security breach within 72 hours, or save the data for more than the necessary time limit, they will face penalties.
Experts said that companies considering privacy seriously should find the new rules easy to comply with. “in general, if you are always good at data protection, it may be easy to adapt to the rules of GDPR. I’m worried about companies that have never thought about it, and they’re rushing to do it,” said Richard Merrygold, data protection expert.