With technology permeating every corner of the world, globalization has become more prevalent than ever. These days you can send messages to someone on the opposite side of the planet in the time it takes you to type it out.
Although there are plenty of benefits of globalization, one side effect is that laws and regulations that happen in some countries can impact the rest of the world in substantial ways. Today we’re going to be talking about one such change - the GDPR. Let’s see the results of this legislation.
What is the GDPR?
This stands for the General Data Protection Regulation. It was passed by the European Union, and it will become law this year. While there are a lot of technical aspects of the GDPR, it relates mostly to cybersecurity and personal data - how it’s stored, shared, and processed.
Because more and more information is being transferred online, this legislation has far-reaching effects. As such, it’s imperative that everyone have a solid grasp of what it does and how it will impact businesses around the globe.
Again, there are more complicated elements of the GDPR, but here are the most notable pieces to pay attention to.
Right to Access - Individuals will have the right to see how their personal information is being used by a company, as well as request access at any time.
Right to Deletion - When a customer is no longer part of a business, they can request that their data be deleted from the company’s archives.
Right to Information - If a business changes how they collect or process consumer data, they have to make these changes known to the public so that people can decide if they want to continue to have their data stored.
Right to Correct Information - Errors happen all the time, but a person is now able to request that the data that a company has is accurate and up-to-date.
Right to Object - This is a big one. If a consumer doesn’t want his or her information shared by a company, he or she can file an objection that the company has to obey.
Right to Restrict - Like objection, consumers can also dictate how their data is processed and stored.
As you can imagine, these changes are going to have a significant impact on the way that companies do business, both in the European Union and abroad. Other elements include a right to notification in case there is a breach, as well as portability, which enables consumers to transfer their data as they see fit.
When Does the GDPR Go Into Effect?
May 25th is the official date when the GDPR will become active, so any company that does business in the EU (i.e., has offices or employees there) should already be well on their way to becoming compliant with the new law.
What if I Don’t Do Business in the EU?
At first glance, you may think that such sweeping legislation may not affect you or your company because you are based in the US (or another non-EU country). However, as we mentioned, the effects of these changes are far-reaching, which means that everyone will be affected, both directly and indirectly.
Part of the reason that this law is going to become such a global presence is that it has both loose and strict definitions of what it protects. On the loose side, it doesn’t refer to a specific group of people, such as citizens or residents of any European Union country. Thus, anyone in the world could be subject to these protections and rights.
On the stricter side of things, the definition of personal data and privacy are tightly controlled. In the US, we have a much narrower definition of what constitutes personal information, which is usually related to an ID number (i.e., social security). In the EU, however, personal data is anything that can be used to identify a natural person.
Almost any information collected online falls into this category. Data like IP addresses, physical location, gender, age, body type, and ethnicity are just a few of the items considered “personal data.” As a result, nearly anyone who is tied to the EU (even tenuously) can have their information protected by the GDPR.
Controlling vs. Processing Data
To put things into a bit more perspective, you have to determine whether your company is a controller of personal data or a processor. While the definitions are more tightly defined, they loosely translate to the following.
Processor - an entity that collects or uses information in any way
Controller - an entity that decides how to use personal data
For example, a controller could be a company that collects consumer data to sell them products. A processor would be a business that processes that information to ship products to the customer.
Bottom Line - What Do I Need to Know?
Overall, the GDPR is a law that puts power to the people. No longer will businesses dictate how information is collected, stored, and used. Now, consumers will have much more control over their data and who has access to it.
As a business, you have to become GDPR compliant if you have any kind of internet presence, which is basically everyone. Even if you don’t transact anything with an EU resident, even potentially collecting his or her data means that you fall under the GDPR’s jurisdiction.
Thus, you should become compliant no matter what so that you don’t get into any pitfalls. The ramifications of failure can be costly, and it could create more problems than it’s worth.
The bottom line is that consumers now have the right to know how their data is being used, and they have the right to tell businesses if they approve of it or not. Transparency and consent are the two primary changes, so make sure that your company offers both.