What is the GDPR?
The General Data Protection Regulation is a sweeping law that gives European citizens more control over their personal data and seeks to clarify rules and responsibilities for online services with European users. It replaces the EU’s previous directive governing data protection, passed in 1995, and makes some dramatic changes to existing conventions, including:
- Unifying the rules for how companies should handle the data of European citizens
- Expanding the scope of what’s understood to be personal data
- Clarifying the roles and responsibilities of those who control and process data
- Streamlining enforcement authority to one supervisor per member state
- Compelling companies to notify consumers of a data breach within 72 hours
- Intensifying the penalties for noncompliance
When does the GDPR take effect?
The regulation was ratified in 2016 and organizations have been given a two-year “implementation period” to prepare. This grace period ends on May 25, 2018, when enforcement begins in earnest.
Does this law apply only to companies based in the European Union?
No. The GDPR applies to any organization that collects, processes, manages or stores the data of European citizens. This includes most major online services and businesses that collect, process, manage or store data. As such, the GDPR essentially sets a new global standard for data protection.
Who enforces the GDPR?
The European Union parliament passed the law in April 2016, and each member state will have its own supervising authority.
What kind of data does the GDPR protect?
The regulation applies to a broad array of personal data including name, ID numbers and location, as well as IP addresses, cookies and other digital fingerprints. Here’s how the EU’s Protection Supervisor defines it:
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
How will this affect Facebook and other social media companies?
The GDPR applies to personal data processed for the purposes of social media marketing campaigns, communication with customers via social media, and using Facebook tracking pixels and similar technologies. However, the specific impact depends on the manner that the social media are used. Social media isn’t specifically discussed in the GDPR, so there are no aspects of the GDPR that are unique to social media or social media marketing.
How will this affect me?
Consumers can expect to see more privacy warnings and consent requests. These must be made separately, and cannot be bundled with general terms and conditions. The rules mean that tech companies can no longer assume users want to hand over their data. Companies must now count on the opposite, and reflect that in their services and products.
For example: Rather than automatically signing a user up for a mailing list and later offering an unsubscribe option, companies now have to explicitly seek consent ahead of time. The default option when asking users if they want to subscribe must be “no.” Some brands are already asking consumers if they want to remain on email marketing lists.
Companies are also required to tell authorities about any data security breach within 72 hours of discovering it — a rule that should eliminate big gaps between the business finding out and customers being informed.
How does the regulation impact hacks and breaches?
The GDPR requires companies that have lost control over customer data, or who have been hacked, to notify users within 72 hours. Organizations found in breach of the new rules can be fined up to 4 percent of their annual global revenue. If Facebook was to be found failing to comply, for example, it could be liable for a $1.6 billion penalty (based on its 2016 annual revenue of $40 billion).
Does the US have any legal equivalent to the GDPR?
No. Most states have their own laws governing data breaches and notification requirements, and most apply only to a limited type of data — social security numbers and health or financial information. The SEC recently issued guidance on how public companies should disclose breaches and risks.
While the content provided here is designed to help you understand the GDPR when working with third parties like Gate 39 Media, the information contained should not be construed as legal advice. Be sure to consult with your own legal counsel and compliance department with respect to interpreting your unique obligations under the GDPR and the use of a company’s products and services to process personal data.
For more information on GDPR click HERE.