The General Data Protection Regulations (GDPR) are the result of four long years of planning by regulators and industry experts in the European Union. These regulations, which came into force on May 25, 2018, will strengthen consumer rights regarding data protection and privacy – and place the burden of compliance squarely on the shoulders of business.
At the foundation of the GDPR is an effort by the European Union regulators to accomplish two objectives. The first is an overhaul of increasingly antiquated approaches to information technology. The second is where the GDPR comes in to offer consumers more control over how their personal data is collected, protected, and used by companies.
It is important to note that the reach of the GDPR far belongs to European shores. It affects businesses that operate in the EU and businesses elsewhere that do business with EU companies. In fact, it reaches even further. Companies that use data that has been gathered from EU citizens will also be subject to the regulations.
The reach and implications of the GDPR are enormous. In fact, a recent study indicated that ‘Global Fortune 500’ companies have spent in the region of 8 billion dollars in preparation for the roll-out of the new regulations.
The launch of the GDPR has seen a flurry of messages arrive via email and SMS to consumers advising them of the new regulation and how they should provide companies with the relevant permissions to use their data. But for some companies – especially those in the Internet media, there is still a long hill to climb. Anyone using these sites will have noticed an awful lot of messages telling visitors that they are not allowed to supply content to readers in the EU – but that they’re working on the issue.
It’s not that GDPR has taken people by surprise (as evidenced by the amount of money that global companies have spent in preparation) – it’s also the terms used in the GDPR regulations are sometimes extremely vague.
Companies are urged to take ‘reasonable’ steps to protect consumer data – however, the guidelines to what exactly those reasonable steps are are also extremely vague. This has security experts extremely worried. The penalties for non-compliance with the regulations can be astronomical. And seeing as the GDPR affects companies from the small to the large, a misstep can have catastrophic consequences.
The confusion continues in that the GDPR demands that companies that meet certain criteria should appoint a ‘data protection officer.’ However, in what some say is an effort to future-proof the regulations, there is no definition of the organization’s size that needs to do this. The regulation says that if the company is processing data on a ‘large scale,’ this appointment should be made.
It is just this sort of vagueness that is giving many CEO’s sleepless nights. However, the GDPR, when seen as a whole, is a set of regulations that is long overdue in the age of the Internet.