Europe's Strong GDPR Privacy Rules Go Into Full EffectIt's May 25: Do You Know Where Your Data Protection Polices Are?
Europeans' enhanced privacy rights are now in full effect.
As of Friday, Europe's General Data Protection Regulation is being enforced by EU member states' privacy watchdogs.
"May 25th, 2018, is the date from which the data protection authorities and the supervisory authorities in each of the member states within the EU will start enforcing the regulation and start looking at organizations to make sure they are compliant with GDPR and making sure that they are protecting people's personal data in accordance with the requirements set out in the regulation," data protection expert Brian Honan, who heads Dublin-based BH Consulting, tells Information Security Media Group.
GDPR now stands as the world's toughest privacy law, in that it gives Europeans a greater right to privacy, in part, by holding organizations that store Europeans' data to strict standards of accountability and transparency.
Protects 'Data Subjects'
"Compared to the previous legal framework within the EU, GDPR ... introduces an enhanced approach on governance, accountability, the role of data protection officers, data breach notifications, risk-based strategies, security measures, consent giving and fines, providing a sound future-proof legal framework in favor of the data subjects," the EU's cybersecurity agency, ENISA, says. "Notions such as 'data protection by design and default' and 'the right to be forgotten' open up new possibilities in practice for sensible protection of fundamental rights."
The specific requirements imposed by GDPR vary and can differ based on industry and organizational size. But they apply worldwide to any organization that accesses, stores or works with Europeans' personal data (see GDPR Enforcement Begins: Impact on Healthcare, Banking).
For the first time, Europe also now has a mandatory breach reporting regulation. Many organizations must also have in place a data privacy officer, in charge of their organization's data privacy practices. And organizations are required to provide Europeans with a copy of the personal information they store on them, on request, as well as to field consumers' requests that their personal details be "forgotten," although that right is not absolute.
GDPR: In Effect Since 2016
The need to comply with GDPR appears to still be sending organizations scrambling to figure out just what that means, not only in Europe but everywhere from Australia and India to the Middle East and United States.
But the countdown to GDPR enforcement day has been a long time coming, following EU members states on April 6, 2016, agreeing to the major new reforms. While GDPR has been in effect since then, the EU included a two-year grace period to give organizations time to begin complying.
"Our new data protection rules were agreed for a reason: Two thirds of Europeans are concerned about the way their data was being handled, feeling they have no control over information they give online," says European Commission Vice President Andrus Ansip, who's from Estonia.
"Companies need clarity to be able to safely extend operations across the EU," he says. "Recent data scandals confirmed that with stricter and clearer data protection rules we are doing the right thing in Europe."
European officials continue to stress that privacy is a right that must be protected.
"Data protection is a fundamental right in the EU. The new rules will put the Europeans back in control of their data," says European Commission Justice Commissioner Vĕra Jourová. "Now we have a choice and can decide what happens and who has what sort of data. You can ask and companies have to tell you. You can also recover your data if you leave or change service."
Data Protection: Risk-Based Approach
Jourová says the single regulation - applicable to all EU members states, as opposed to the previous data protection directive which each member state interpreted - will make it simpler for organizations to comply as well as to do business across Europe.
"The rules are based on a risk-based approach," she says. "Companies that have been making money from our data, have more responsibilities. They should also give something back to the consumers; at least the security of their data. Companies which do not process data as their core business activity have less obligations and mainly have to make sure that the data they process are secure and used legally."
Stronger Potential Sanctions
Organizations that violate GDPR face fines of up to 4 percent of their annual profits or €20 million ($23 million), whichever is greater. The laws will be forced by member states' information commissioners, who serve as Europe's independent privacy watchdogs.
Elizabeth Denham, the U.K.'s information commissioner, has signaled that large fines won't be imposed on companies that are trying to get their GDPR compliance right, but rather for intentional violations or gross negligence. Regardless, she's called on businesses not to focus on the fines, but rather respecting people's privacy rights, and getting and staying compliant with GDPR (see Countdown to GDPR Enforcement: Deadline Looms).
To help, the ICO has been publishing a series of guides for businesses, addressing everything from GDPR myths to questions about what constitutes personal data.
"Almost everything we do - keeping in touch with friends on social media, shopping online, exercising, driving, and even watching television - leaves a digital trail of personal data," Denham says.
"We know that sharing our data safely and efficiently can make our lives easier, but that digital trail is valuable. It's important that it stays safe and is only used in ways that people would expect and can control," she adds.
First GDPR Complaints Get Filed
Some organizations' approach to complying with GDPR is already set to be tested. At midnight on Friday, Austrian privacy rights campaigner Max Schrems filed three complaints worth €3.9 billion ($4.6 billion) against Facebook and its WhatsApp and Instagram subsidiaries, and another complaint worth €3.7 billion ($4.3 billion) against Google's Android operating system. He's accused them of forcing users to accept "coercive" new terms that undercut GDPR's protections.
Schrems heads a new privacy lobbying group call noyb - for "none of your business."
"Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the 'agree' button - that's not a free choice, it more reminds of a North Korean election process," Schrems says in a statement.