All you need to know about the European Union General Data Protection Regulation
The recent Facebook – Cambridge Analytica scandal has woken the world up to the importance of data protection. To prevent issues like that, the European Union had drafted a regulation in 2016 and they gave companies 2 years to prepare for the full implementation. The European Union General Data Protection Regulation (EUGDPR) took effect in May 2018.
While a lot of people understand that the regulation was meant to protect their data from being used by companies without their consent, only very few really understand the nitty-gritty of the regulation and how it affects every party involved. This article seeks to simplify the regulation and explain how it affects you, other EU residents, Facebook, and other companies. It also explains how it affects non-EU residents.
What is the EUGDPR?
The European Union General Data Protection Regulation (EUGDPR) is a law that puts residents of European Union in full control of how their personal data is being used. The regulation also seeks to clarify the responsibilities of companies dealing with EU residents. The regulation came as an improvement on the previous law governing data protection that took effect in 1995.
What is the penalty for violating the regulation?
The penalty will be commensurate with the level of violation but the maximum penalty is either a fine of 20 million Euros or 4 percent of the company’s annual global revenue for the previous year, depending on which one is higher.
When will the regulation take effect or when did it take effect?
Since the 2-year grace period ended on May 25, 2018, the regulation has already taken effect and a lot of companies have started complying already.
Is the law for only EU based companies?
The simple answer is “No”. It affects any company that handles the data of EU residents. If your company has the data of EU residents for any reason, then the law affects you. It is better to withdraw your services to EU residents until your company is fully compliant.
Exactly what kinds of data does the law seek to protect?
The data protection regulation actually affects different types of personal data like name, gender, phone number, email address, social media account identifiers, government ID numbers, and even religious orientation and more. It also includes information on a person’s real world and online activities as well as his IP address and other tracking information.
Will the regulation affect social media companies?
Yes. In fact most of them have already updated their privacy policies because they are particularly guilty of the crime. In addition, several privacy advocates already filed complaints against Facebook and Google.
Does it affect a non-EU resident?
Yes and No; Yes, because some companies have already given non-EU residents some additional data protection rights. No, because the companies are not obliged to offer non-EU residents those rights and they reserve the right to withdraw them anytime. If they do, non-EU residents cannot file any legal complaint on it.
How soon should a company report hacks or breaches?
According to the regulation, if a company system gets hacked and data stolen, the company has just 72 hours to notify users. If the company eventually notifies users but after the 72-hour window, the company will still be sanctioned. The worst situation is when the company did not notify users until the lid is blown off, they will face the maximum penalty stated above.
Do minors have to give their consent too?
To process the personal data of users under the age of 16, companies need to obtain the consent of their parents.
Comparisons between EU data protection regulation and U.S data privacy law
In the U.S, privacy laws change with each administration while the EU privacy laws hardly change. According to the privacy laws in the U.S, individuals have little control over their data whereas EU gives users full control over their data. In fact, they can decide to delete it. While the U.S data privacy laws allow companies to hold on to individuals’ data for as long as they want, EU gives its residents “right to be forgotten”. This implies that they can decide to delete their data by themselves.
Now that you have better idea of what the regulation is about, you should begin to work towards full compliance as quickly as possible.