On the 25th of May 2018, a new era of protection for the consumer regarding data protection and privacy was ushered in. This was when the regulations as outlined in the European Union’s General Data Protection Regulations came into effect.
The promulgated regulations were the result of four years of careful and analysis of the global data environment and especially how the Internet was affecting the privacy of individuals. The overhaul of the EU’s increasingly obsolete regulations was also forced due to two main factors.
The first was the growing amount of data gathered by companies and how they were using this data. In effect, companies ranging from retailers to the owners of social media sites gathered extremely detailed data from consumers. They often sold that data to marketing companies – without the express permission (or sometimes even knowledge) of those who made use of their services.
So the GDPR tightens up on the responsibilities of companies. It stipulates that companies need to obtain consent from consumers before harvesting their data and inform them about just how they will be using that data. Organizations must also allow consumers to ‘opt-out’ of that data gathering and use process.
One of the reasons that this has become such an enormous issue in recent years is the increasing amounts of data gathered. Organizations are now not only gathering names and physical addresses and credit card numbers – but they are also starting to gather biometric data and tracking psychological profiles, and using advanced algorithms to predict behavior. this has many consumers extremely worried.
Then there is the increasing threat of hackers. The number of malicious attacks on databases across the globe has been steadily increasing, and the sheer volume of personal data that is being lost is staggering.
GDPR puts the onus back onto the organization when it comes to just how the data is gathered and how it is managed – and protected. It sets out standards for that protection and the proactive steps that a company must take to inform the consumer when a data breach has occurred. The company is now also responsible for informing the relevant authorities of the details of the data breach. They will also be responsible for keeping those authorities informed about what steps they are taking to mitigate the damage done.
However, the challenges facing companies in the race to conform to the regulations are causing many CEO’s sleepless nights.
The European Union, when developing the regulations, seems to have taken a deliberate decision to keep some of the terms vague. Many experts believe this was an effort to ‘future proof’ the regulations, but making implementing changes frustrating for many companies.
For instance, the regulations demand that the company take all ‘reasonable’ steps to safeguard individuals’ privacy when it comes to data – but what exactly is the definition of ‘reasonable’?
The GDPR is long overdue – but implementation may prove to be difficult.