10 Minute Read

Brace for Impact: GDPR is coming.

By Jimmy Schleisman:

What the Heck Even is GDPR??

The EU General Data Protection Regulation (GDPR) is the single most important change to data privacy in the last two decades. It applies to the European Union and all businesses that operate in and out of the collective states, regardless if they are based in the EU or not. Here’s the link to the CHANGES the GDPR is making to EU data protection policies. Feel free to read through and follow along as we dissect this shiz like the high school bio-lab nerds we all know we are.

“ The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.” Eugdpr.org

Okay, let’s crack this code and translate this garble of binary (lol my data puns are just…really, really bad). So, the GDPR’s main function is to protect EU citizens from data mining and data collection malpractice. In other words, it’s about treating people like people and not abusing the use of their personal information. That means no shopping, shipping or messing with other people’s personal, digitally sensitive shit. It also means holding companies and data processors responsible should there be a data breach at their firm.

(Honestly, the U.S. could take some notes from the EU, just sayin’.)

Confused by #GDPR? Here's all you need to know and what you should consider if you do business in the EU: Click To Tweet

But Like, What Does the GDPR Even Do?

The first change we want to address is the jurisdiction of the GDPR. Girl, they’ve got their bases COVERED:

“Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location…it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.”

Our translation:

If you process data about EU citizens or do business in the EU, you gotta pay the toll. And by pay the toll, we mean GDPR is gonna be looming over your shoulder making sure you’re not f-ing with their peeps or their data.

Individuals, or “data subjects,” have the right to their information, meaning they can request copies of their information from companies, or “controllers,” to see how their data is being used. They also now have the right to give and withdraw consent for companies to use their information. So, if a citizen isn’t sure whether they like how a company has been using their info or they just don’t want their info being used anymore, they can withdraw consent at any time and bar that organization from using their stuff. It’s all about being ethical in business. Pretty cool, right?

The EU’s GDPR is coming May 25th. If you’re a U.S. company and do business in the EU, are you prepared? Click To Tweet

On top of that, GDPR requires terms of consent to be laid out “…in an intelligible and easily accessible form, using clear and plain language.” This means no more 99+ pages of legal words and phrases. AKA, no more encyclopedia-length iTunes Terms & Agreements BS. Just plain, simple phrasing and cut-to-the-chase information. Or at least we hope that’s how it will actually turn out, but honestly, who knows.

The most shocking thing about all these changes is the penalties for not complying with the GDPR. The maximum fine that can be imposed on an organization for the most serious infringements on GDPR is €20 Million (i.e. failing to acquire sufficient customer consent to process data or violating the core of Privacy by Design concepts). The rules apply to everything, meaning not even ‘clouds’ are exempt from GDPR enforcement.

Some other rights EU citizens get with GDPR include:

  • Breach Notification – Data processors will also be required to notify their customers and controllers “without undue delay” after first becoming aware of a data breach.
  • Right to Access – The right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where and for what purpose.
  • Right to be Forgotten – The right to have the data controller erase a data subject’s personal data, cease further dissemination of the data and potentially have third parties halt processing of the data.
  • Data Portability – The right for a data subject to receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format” and have the right to transmit that data to another controller.
  • Privacy by Design – The right for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
  • Data Protection Officers – Internal record keeping requirements for controllers and processors.

How Does This Affect U.S. Companies That Do Business Within the EU?

Well, for starters, if you do business in the EU, you’re going to have to look over your foreign policy about data collection and the way you observe, monitor and track your consumers’ habits. This means companies like Amazon are going to have to be careful with how they manage their EU consumers’ personal information. To explain further, all those shopping recommendations Amazon offers are going to get a lot tougher to piece together if EU consumers withdraw their consent for Amazon to use their information. By extension, it will become increasingly difficult to build consumer profiles and personalize shopping experiences if individuals won’t let companies use their shopping history data.

On the flipside, GDPR protects EU individuals from companies like Amazon abusing their power over consumer information. For example, it seems like the GDPR will help shut down businesses from shadily dealing data under the table. I’m not saying Amazon does illicit stuff like that…I’m saying GDPR makes it more difficult for companies to conduct business in such ways. *glances across the room at Facebook*

Maybe it’s just because I’m sick of seeing manipulation and abuse of power with regards to data in the news, but the GDPR sounds like a policy the U.S. needs to adopt, like yesterday. So, U.S. companies that conduct business within the EU, get your data collecting and processing shit together cuz this policy affects you, even if you think it doesn’t. It has the potential to fine you up to 20 Million Euro if you decide not to comply, so there’s that. The GDPR doesn’t F around.