By Brent Warwick, partner, ipsoCreative
As of May 25, the European Union’s data protection law, known as General Data Protection Regulation, went into effect. The law is intended to provide data protection for anyone living inside the EU. Essentially, it provides safeguards for an individual’s personal data online and gives control to them rather than that control being held by businesses or organizations.
Who it applies to
Technically, the law applies only to individuals (regardless of citizenship) residing within the EU and to organizations conducting business or interacting online with those individuals residing in the EU. Given the intertwined nature of globalization, however, many U.S.-based organizations and individuals who conduct business with other entities based in the EU, or that do business with the EU, are likely subject to the law, as well. This means that if you provide marketing services, for instance, to a company headquartered in the U.S. that also has operations in the EU, you most likely need to be compliant with GDPR in order to ensure your client’s compliance.
Why does it matter?
Consumer protections are an essential component to a functioning and vital fair market. This is especially true in our technology-dependent and increasingly complex world. As our lives have become entwined with technology, new risks that were previously unimaginable have arisen. Identity theft is perhaps the most well-known risk, but there are now far-more pervasive risks in which poor information security may cause real harm and distress to individuals. Data ransom for small sums of money (which makes tracking culprits and potentially bringing them to justice nearly impossible) is one of the most significant and fastest-growing real-world reasons why data protection matters to individuals. Just ask Atlanta how important data security is — Cost of City of Atlanta’s cyber attack: $2.7 million — and rising.
What does the law have to say?
First, it’s always best to go to the source to verify that what you are receiving is accurate. With that in mind, here are two valuable resources. The first one is a PDF of the GDPR legislation. The second one is the official EU website with GDPR information.
If you don’t have time to fully review the legislation, here are a few highlights that will hopefully help you and your organization understand its broad implications.
One of the central tenets of GDPR is transparency. Article 5(1) of the GDPR says:
“1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’).”
This means that all organizations must be forthcoming with consumers. Consumers, whether they are using social media or casually browsing a website, should not have to conduct a search to determine whether any personal data is being collected. The onus is on the “data processor” (the organization or owner of the platform/website) to be transparent in what, if any, data is being collected while a user is engaging with its online property.
Right to be informed
Closely related to this transparency tenet is people’s right to know why their data is being collected, how long that data will be stored, and whether that data will be shared with any other parties. The GDPR legislation also specifies that any information an organization provides to users must be concise, easily understood (clear and plain language), and easily accessible. It further specifies that there should be regular reviews of privacy policies and statements. And if any changes are made to privacy information, it must be brought to users’ attention.
Both of these tenets then logically flow to a requirement for user consent through a “positive opt-in.” Users should not be presented with prechecked boxes or anything with a preselected default setting. Plus, it must be easy for users to withdraw their consent.
These three tenets largely focus on the rights of the individual. However, the law also specifies that organizations must ensure individual data protection via their internal policies and processes.
Data protection by design and default, and security
There is a great deal that can be said on this topic, and many of the GDPR resources online will link to more detailed documentation on just this topic alone. The essence of all such documentation is the fact that appropriate measures to protect personal data must be considered and implemented through all internal activities. This includes everything from the design of internal human-resource policies and employee training all the way through the end of the product or service lifecycle.