The GDPR has been implemented for a month. Here’s what’s changed.
The Internet would like to apologize for all the scary-sounding warnings you received over the last month or two. You know the ones we’re talking about. There’s something saying “Our privacy policy has changed” and there’s something else about yadda yadda yadda. Also: the initials GDPR appear, and that sounds like a vast, invisible criminal organization in a 007 movie. You are asked to click a button that says something like “Got it”—but you’re worried that maybe you just agreed to something you’ll regret later.
But the GDPR is not malevolent. It stands for General Data Protection Regulation. The regulation presents a massive overhaul in the way companies process and protect user data, and is set to force sweeping changes in every industry from technology to advertising.
It forces organizations to report data breaches. And they can’t drag their feet about it.
Over the past decade, we’ve seen incidents—such as the Equifax hack—where companies either failed to report a data breach, or took months to do so. (It took Equifax over two months to report its security breach to its clients and investors.)
The GDPR requires organizations to directly notify users when user data is lost or stolen. And they can’t bury it in a press release, on their website, or in a social media post—under the new regulations, companies must directly report breaches to users. Breach notices have to be specific, too, laying out the extent of the hack, the potential consequences, and what’s being done to minimize the damage.
It gets rid of legalese in privacy policies—and requires explicit consent
Back in 2008, one notable study found that if a user were to read every privacy policy he encountered in a year, he’d need to take a month off work—about 244 hours—just to do it. And he’d need a PhD in Linguistics to understand what he was reading; most privacy policies were so cluttered with tech jargon and legalese, they were basically illegible.
The GDPR requires companies to list how they’ll use consumer data in “an intelligible and easily accessible form, using clear and plain language.” In terms of describing what constitutes clear and plan language, it doesn’t get more specific than that; presumably, this is an intentional decision that will give legal teams more flexibility in the future.
Companies must also ask users to give active, explicit consent to having their data collected, rather than what the GDPR calls “passive acceptance”—a pre-ticked box prefaced by 20 pages of jargon. That consent can be revoked at any time, for any reason.
It requires companies to hold someone accountable
All too often, when a company suffers a data breach, it will try to dodge blame by passing the buck around the organization, arguing over who was responsible. Now, the GDPR requires most large companies to appoint a specific Data Protection Officer whose job is to ensure compliance.
Only companies which perform large-scale behavior tracking, process massive amounts of data, or constitute a public authority will be required to have a Data Protection Officer. However, companies which don’t meet the aforementioned requirements aren’t off the hook; they are defined under the GDPR as “data controllers”, and the third parties they hire are “data processors.” Controllers are responsible for ensuring their data processors are compliant; processors are responsible for reporting breaches immediately; and both parties can be held accountable.
It gives law enforcement sharper teeth
So, what happens to companies who aren’t GDPR compliant? Well, for one thing, they’ll be fined—and these fines are no slap on the wrist. The worst offenders can be fined a maximum of 20 million Euros, or 4% of the company’s annual global turnover, whichever is larger. For some companies, that could mean billions.
If you’re reading this in the U.S., you might be wondering, “Can the EU really enforce a fine on a company in another country?” Put simply, yes. The EU is legally justified under international law to enforce its regulations, and it is likely that U.S. authorities will help it do so. Since breaches usually don’t have geographical boundaries, the EU and US have a strong relationship when it comes to cybersecurity.
What does the GDPR mean for me?
On the surface, the GDPR is—let’s face it—a bunch of boring-sounding letters. But underneath all the stone-faced legalities is something truly revolutionary: a law created by a foreign government that ended up protecting the entire world.