You may have heard of the General Data Protection Regulation (GDPR). It’s a piece of European Union (EU) legislation that could have a far-reaching impact on some of the largest information technology companies in the world including Facebook and Google.
What is GDPR?
GDPR is a piece of legislation that was approved in April 2016. European authorities have given companies two years to comply and it will come into force on May 25, 2018.
It replaces a previous law called the Data Protection Directive and is aimed at harmonizing rules across the 28-nation EU bloc.
The aim is to give consumers control of their personal data as it is collected by companies. Not only will it affect organizations located within the EU, but it will also apply to companies outside of the region if they offer goods or services to, or monitor the behaviour of, people in the bloc.
This is why GDPR could have a far-reaching impact.
What are the key policies?
A major focus of GDPR is on conditions of consent which have been strengthened. So, companies will not be able to use vague or confusing statements to get you to agree to give them data. Firms won’t be able to bundle consent for different things together either.
“If you have a page of different consent and saying by clicking here you consent to lots of things, that will be wrong, you need to be able to apply that consent individually,” Harry Small, a partner at law firm Baker & McKenzie said.
For children under 16, a person holding “parental responsibility” must opt-in to data collection on their behalf.
Another rule will make it mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The processor of the data will need to notify customers “without undue delay” after learning of the breach, according to an EU document.
When it comes to user data, consumers will have more control. You will be able to access the personal data being stored by companies and find out where and for what purpose it is being used. You will also have the right to be forgotten. This means you can ask whoever is controlling your data to erase it and potentially stop third parties processing it too. Another provision of GDPR allows people to take their data and transfer it to a different service provider.
Are there punishments for breaking the rules?
Yes, and potentially big ones. An organization in breach of GDPR laws will be fined up to 4 percent of annual global turnover or 20 million euros ($24.6 million), whichever is bigger.
Some of the biggest technology companies are making billions in turnover every year so this could be a big hit if they were to breach any rules.
What will the impact be on firms?
Big organizations have had two years to get themselves ready for GDPR.
The big technology firms who have huge user bases and handle massive amounts of data have spoken about what they are doing. Facebook recently released some new privacy tools which will help it comply with GDPR. Other big technology firms have also released their plans on GDPR.
In a recent note, Barclays said that GDPR is likely going to impact social networks.
“We think there is a risk that reported MAUs (monthly average users) could drop off for Facebook and Twitter starting in late 2Q. DAUs (daily average users) are far more important and less of a GDPR concern for the social networks, but may also drop off a bit,” Barclays analysts said.
“In terms of ad revenue, we see less of an impact, but have heard additional concern around products like custom audiences which all platforms are using. Our checks suggest that most companies using cookies and tags for digital marketing should be relatively unchanged as most publishers have been using GDPR compliant notifications for months ahead of the May mandate.”