General Data Protection Regulation (GDPR) Guidance
The European Union passed General Data Protection Regulation laws that apply to the use, handling, and collection of personal data on anyone within or from the EU or the EUA. The aim is to protect consumers from invasions of privacy, identity theft, and the consequences of cyber attacks like hacking. It also gives individuals control over their data. Doing business with companies that are GDPR compliant is one way of protecting yourself from such data theft.
As of the implementation date, May 18, 2018, fewer than 10 percent of American companies were prepared to comply with the stringent regulations, which includes penalties of up to 20 million Euros for serious cases of mishandling or misuse of data.
American firms doing business in the EU or with EU customers must now meet these requirements – a high standard compared to the American marketplace’s atmosphere of free-for-all data collection and lax security. Firms in the U.S. face few penalties for denying that data is collected, for breaches that reveal personal information, or for insecure storage that hackers exploit. Under the GDPR standards they could face significant penalties.
Privacy Shield in the U.S.
Many U.S. companies have signed on with an agreement called Privacy Shield that was created in coordination with the implementation of the EU GDPR in 2016. These companies ensure data transactions comply with GDPR requirements by self-certifying with the Department of Commerce. Once accepted they are legally obligated to abide by the regulations. The State of California has enacted its own Consumer Privacy Act in 2018 that applies to the relationship between residents and companies that collect data.
How it works
Guiding principles for collecting, storing, and using personal data under the GDPR include:
- limited purpose,
- limited time.
Consent is the cornerstone of these regulations. Consumers must be explicitly asked to provide approval for specific pieces of information to be collected. Information about how the data is used, for how long, and instructions on having it removed or destroyed must also be provided. Currently many companies in the U.S. operate on the principle of implied consent and may resell personal data to others. Those that do business in EU countries now explicitly request permission per the GDPR rules.
In brief, only that information that is necessary for doing business may be collected, and it must be stored securely for a specified period of time as well as used only for the stated purpose. For instance, a person’s medical information cannot be collected to process a shopping transaction. Those under the age of 16 may not have data harvested. And the limitations on data collection go deep, including prohibitions on collecting IP addresses of site visitors or consumers without permission. Similarly, companies personal information must be safeguarded in specific ways to prevent tampering.
Those who collect data must be transparent about the uses of a person’s data as well as how an individual may have it removed from servers. To accomplish all that the law requires, companies must now have a data protection officer, and customers must be notified within 72 hours of a breach.
One aspect of the individual having control of his personal data is portability. This conveys the ownership of data not to the company that collected it but to the individual it profiles. Portability means that a person may request that one company he’s shared information with provide it to him so he may share it with another; this is an additional step for businesses as they now have to keep information in or translate information to a common format for usability. Examples include fitness tracker data, medical records, or banking information.
How data must be handled
Subcontractors who handle consumer data on behalf of a company are also liable under these regulations, and multinational companies must all rise to this standard in order to share information from one location to another. Some say the stringent rules encourage the anonymization or encryption of data to prevent misuse. The requirement is a particular challenge for some, like Facebook (which owns Instagram and WhatsApp) due to the volume of international account holders. Just a few months after the GDPR rules took effect, Facebook discovered a serious breach that allowed over 800 applications access to millions of photos on users accounts and allegedly did not alert the compliance officer or users of the breach for about 60 days. If the company is fined at the maximum amount, the total could rise to $1.5 billion.
How other countries handle privacy
Many countries have adopted data protection laws, and the EU has “white listed” just a handful as approaching acceptability. Those that are white listed include Argentina, Canada, New Zealand, Uruguay, and a handful of others. The African Union has its own version of data protection laws but few countries have ratified them. South Africa has a Protection of Personal Information Act. Australia has an act that dates back to 1988 but was extensively updated in 2014.