It is said that data is the new oil. Naturally, a resource as valuable as this has to be well protected. The EU General Data Protection Regulation (GDPR) brings in game-changing rules in the field of data privacy regulation. It is set to be enforced from 25th May, 2018, and if your organization is not in compliance with these new set of rules, you may face some serious consequences. Hence, it is crucial that you keep yourself abreast of these developments. But you don’t have to research extensively over this because we have got you covered. Here’s a brief overview of all you need to know about the upcoming GDPR.
What exactly is GDPR?
GDPR is a regulation spearheaded by the three legislative European Union institutions: the European Parliament, European Commission, and Council of the European Union. It brings in some key changes to the current data protection laws in the European Union. Companies now need to get explicit consent from the users in order to process their data which is available online. GDPR aims to return the control to the internet users in the EU over their data and make the regulatory environment simpler for international business. Before GDPR, the users’ consent was implicit, but now it has to be explicit. Pre-checked boxes or implied consent won’t work with GDPR. Companies can now only process the data of those consumers who have explicitly asked for it. This substantially reduces the scope of data collection, and consequently, of the amount of data being collected. Moreover, the data that is collected has to be used only for specific purposes and not for any new and incompatible purposes.
What is ePrivacy?
It is currently a directive in the EU legislation, but is in the process of being transformed into a regulation. It aims to protect the privacy and data of the citizens of EU and also of the European Economic Area (EEA), which includes Norway, Iceland, and Liechtenstein. It is majorly focused on respecting the users’ private lives when using electronic communications. Once in place, the ePrivacy will regulate the processes of placing, accessing, and using identification technologies on users’ devices according to the revised definition of personal data as per the GDPR.
The scope of GDPR:
General Data Protection Regulation (GDPR) is a set of new regulations which are meant to increase the protection of EU citizens’ data. This is of utmost importance if your organization does business within the European Union or collects data on EU citizens, regardless of your physical presence in the EU. This applies to even the non-EU companies who monitor the behaviour of or offer goods or services to the EU citizens. Even 'clouds' are not exempted from this. The entire global ad tech ecosystem, including publishers, agencies, DMPs, DSPs, ad exchanges and everyone else in digital advertising are under the purview of GDPR. In case of non-compliance, heavy penalties will be levied.
The extent of the penalties:
The extent of the fine depends on the seriousness of the breach. There are different levels or tiers of fine. A maximum penalty of up to 4% of the annual global turnover of the organization or €20 million, whichever is higher, can be levied upon the culprits. This can cause a serious damage to your company’s earnings. This will be charged in case of the most serious breach of the policy i.e. lack of sufficient and an unambiguous consent from the customers which will be considered as the infringement of the personal data protection policy.
Which data is considered as “personal data”?
Any data related to a human or a ‘Data Subject’ which can be used to identify the person either directly or indirectly is considered as personal data. This data may include anything like a photo, a name, an email address, phone number, posts on social networking websites, medical information, bank details, a computer IP address or cookie identifiers.
It is a “regulation” and not a “directive”
The EU is vast and comprises of many member nations. Therefore, there were multiple divisions of data privacy regulations between these member nations. In order to address this issue and harmonize the data protection laws across the EU, the Data Protection Directive 95/46/EC was brought into effect on 24 October 1995. But, as it was only a “directive”, it left some space for interpretation while converting into individual national law. Taking into consideration this fact, in combination with the rapidly changing dynamics of data in today’s digital evolution, an update to the current data protection laws was long called for. GDPR is set to fix these issues and make data protection even stronger.
These are the major highlights of GDPR in a nutshell. We hope this helps you with your data policies, gives you a heads-up on the upcoming GDPR, and prepares you to handle it well.