GDPR Basics

GDPR Basics: What Does the New Policy Mean for Your Data?

/in /by

GDPR Offer New Consumer Rights…And New Responsibilities

Data security: it’s a common source of anxiety for people these days. However, a new European Union policy called the General Data Protection Regulation—or GDPR—aims to make data less of a concern for you.

The GDPR was approved by the EU Parliament back in April 2016, and is set to take effect on May 25, 2018. It’s almost uncanny that this new regulation would go live in the wake of the Cambridge Analytica scandal, but the timing is pretty spot-on.

Now many businesses, including Facebook and other social media platforms, are applying the rule globally regardless of legal requirements. But what is the GDPR? Will the new rules really help make data security safer? How will it affect you even if you’re not in Europe?

The GDPR: Explained

As explained on the EU’s website, the General Data Protection Regulation was meant to “harmonize data privacy laws across Europe, protect and empower all EU citizens, and reshape the way organizations across the region approach data privacy.”

The digital economy has been something of a wild west situation up until now, because data rules are inconsistent and hard to enforce without a baseline standard. As EU lawmakers see it, the GDPR provides that foundation. This will be achieved via three key facets of the new plan:

Consent: Businesses need to get customers’ direct consent before using their data for anything beyond what they outlined in the terms of service. That means customers need to opt-in to any added data use, and companies need to be able to prove they asked for consent.

Right to Erasure: Also known as the “right to be forgotten.” This means businesses can’t hold customer data longer than necessary, and customers can request that any entity storing their data destroy the information at any time.

Privacy by Design: Privacy regulations need to be integrated into a business’s systems and technologies at every level. Default privacy settings need to have high standards. Also, businesses need to incorporate new technology to detect breaches, and will be required to notify customers of any breach within 72 hours.

That last point is especially important. Failing to comply with privacy by design standards will carry steep penalties of up to €20 million or 4% of annual worldwide turnover…whichever is greater.

New Protections…and New Responsibilities

At this point, you’re probably thinking this sounds great. The GDPR forces companies to be more open and transparent about how they use and protect your data, while also empowering you to have more say regarding your data.

It’s true that the GDPR puts a lot of the responsibility for data security on businesses, which is fair, as they’re the ones who want to store, research, and monetize your data. But there are new responsibilities for consumers as well. As Uncle Ben said, “With great power comes great responsibility.”

The GDPR gives you the right to say “no” to businesses using your data in violation of pre-agreed terms of service. However, using that right means you’ll need to know what is outlined in the terms of service. Similarly, before you can exercise your right to have a business destroy your data, you’ll need to understand who has what information.

We need to have a consumer base that’s well-educated on data security rules and best practices for the GDPR to mean much. Looking at our track record, we haven’t done a great job educating consumers on when to exercise their rights and how. For example, look at credit card disputes; the average consumer still has trouble figuring out when to fight and when not to.

A Positive Step…but Just the Beginning

We get it: learning about data protection and cyber security best practices is boring. However, you’ll have to take the steps to educate yourself on the topic.

As a consumer you owe it to yourself to learn who gets your data, why they get it, and how they use it. Without this critical information, you could find yourself just as vulnerable to cyber threats as you were before the General Data Protection Regulation.

At the end of the day, the GDPR is a positive step forward. However, laying the legal groundwork is just the first step toward a more data-conscious digital environment.