GDPR – the General Data Protection Regulation – is intended to establish a stronger, unified system of protection of personal data for individuals and businesses within the European Union. GDPR was adopted directly by the European Parliament, the Council of the European Union, and the European Commission on April 27, 2016. Following a two-year transition period, GDPR will become directly binding and enforceable as of May 25, 2018.
GDPR is an improvement upon the 1995 Data Protection Directive, intended to enhance control by individuals over their own personal data and accountability for organizations in how they collect, handle, and maintain it. The Data Protection Directive was implemented by individual law in each of the EU nations and therefore created a patchwork of standards and practices varying between the member states. GDPR therefore is intended to simplify and integrate requirements in a more cohesive and competent supervisory model.
Amid MiFID II implementation in January (see this post for more information on this financial system regulatory overhaul), organizations doing business in the EU were staring down a second major application of enhanced regulation with the approach of GDPR implementation in May. While MiFID II reaches far into the securities markets and financial system, GDPR will impact a far broader range of companies and consumer interactions. This enhanced data protection system extends its scope to include foreign companies holding data of EU residents in addition to organizations or processors based in the EU. Notice requirements, consent standards, and basis for processing of data lawfully, and handling of breaches are all harmonized and developed for further individual protection.
- US companies: As GDPR will apply not only to EU companies but also foreign companies holding data of EU citizens and residents as well as companies seeking to transfer individuals’ data out of the EU, US companies are contending with how to integrate GDPR into their data privacy and information security programs: GDPR: A Challenge and an Opportunity
- Global privacy: Some companies are taking the key moment of GDPR compliance to the next level by conducting an overhaul of their global privacy programs and settings. Motivated at least in part by fear of large penalty fines it could face for non-adherence, Facebook is making an investment in its privacy and control policies in order to establish GDPR compliance and demonstrate its ongoing commitment to improvement and education on privacy practices and protection. Transparency and individual control of data have notoriously not been at the forefront of Facebook’s user-facing practices, but perhaps fear of running afoul of the EU regulator newly empowered with potential punitive damages as an enforcement tool can be a positive motivator. If so, Facebook could set a standard for reform among its digital giant counterparts: Facebook to roll out global privacy settings hub – thanks to GDPR
- EU leadership: GDPR represents an opportunity for the law-making mechanism of the EU to make a splash on the global stage. The EU’s new privacy regulation is the biggest overhaul to data protection practices in the world in many years. Because the regulation applies to multinational companies, it is truly not just an EU law but rather a worldwide one, and it will set standards for lawmakers and regulators in other countries looking to beef up their personal data and information security regimes as well. As the EU implements its new privacy standards over the course of 2018, it will be interesting and challenging to see how the European law impacts practices both in other countries and between those countries and the EU: Europe’s new data protection rules export privacy standards worldwide
- Personal control: GDPR is the next link in the growing chain of regulatory systems and technological innovations – one often driven by or in answer to the other – that seek to enhance personal control of data. In a time when there is more digital information about individuals shared and stored than ever before, the need for this, in interest of both privacy and security, is greater than ever before: From GDPR to blockchain, we’re getting power over our data
- Enforcement: Although GDPR is a unitary system of regulation that is directly applicable and binding across the entire EU level, unlike a directive which would require national governments to make their own laws under it, the 28 individual countries of the EU must still adopt or amend to upgrade their own laws establishing local privacy regulators. Failing to authorize these local privacy offices in a timely and complete manner would impede the European Data Protection Board, the European Commission, and regulatory enforcers from ensuring the efficacy of the privacy laws: EU Countries Drag Heels on Laws to Enforce New Privacy Powers
Like all regulatory compliance initiatives, GDPR has provoked a mix of controversy and anxiety. Organizations are confronting major expenses in time, resources, and money to up their standards, often invoking huge administrative burdens. Hopefully, the benefit to consumer protection, information security, and privacy in this complex age of data saturation will more than pay off. Giving individuals control of their personal data aims to support privacy and truth in the digital age and to provide safety and defense structures which will both prevent breaches as well as inform and protect consumers in the event of data theft.