User data privacy has been a hot topic for the past few months. Facebook CEO Mark Zuckerberg defended the companies data security on trial for what some may say the entire tech industry on April 10.
Now, The EU’s General Data Protection Regulation(GDPR) is set to be enforced on May 25. This does not just affect EU companies, but companies all across the world, including the U.S. Prior to the GDPR, EU followed an outdated 1995 directive that failed to take into account the advanced tech and data driven world we live in.
The GDPR’s mission is to provide consumers with a chance to control their personal data which means protecting their citizens from privacy and data breaches. The penalty for breaching the GDPR will result in either 20 Million euros ($23,954,960.0 US Dollars) or 4% of annual global turnover (whichever is greater).
So why should this matter to U.S. companies? The GDPR doesn’t care if your Chinese, American or a Russian company. What’s important for them is protecting the European Union citizens’ (and residents’) data from privacy infringement. The extended jurisdiction of the GDPR makes it so that any processing of personal data of subjects in the EU applies to all companies regardless of location.
Gartner predicts that 50% of companies affected will not be in compliance this year. If you sell and offer goods or services to EU residents or collect, process or maintain personal data of any EU resident or citizen, you are subject to the GDPR.
Wondering how online companies, such as Etsy, that have buyers and sellers from all over the world would handle the situation, I did a quick google search and found Etsy released an article on April 23 to their consumers on their changes.
The changes included: sellers must create their own GDPR compliant privacy policy, buyers can download public data under their privacy settings and EU sellers have greater access to portability of shop data.
The GDPR also requires that material changes to privacy policies must be notified to consumers, which is why many of Etsy users received emails when they had unsubscribed to marketing emails.
A large part of the GDPR is the importance of consent, whether that means giving or withdrawing permission. The website states that companies will be unable to use “long illegible terms and conditions full of legalese.” Instead, the request for consent must be given in a comprehensible and accessible form, with the data security terms attached.
Data subjects now have an increasing more amount of rights that address issues such as breach of privacy notifications and the right to access what data is being processed or used, what for and why.
We’ve always heard, “everything lives forever on the internet,” Well, we can’t promise no one will screen shot an ill-thought out tweet, but with the GDPRs Data Erasure regulation, data subjects are now able to have “the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”
It’s important for any company working with the EU to be aware of the GDPR and how the regulations will directly affect your business. A $23,954,960.0 fine is a hefty wad of cash.