General Data Protection Regulation – scary monster or empty shell?

If you have business or you are part of some business it is very unlikely that you haven’t heard for some acronym, namely, GDPR. As title already reveals GDPR stands for General Data Protection Regulation which is latest regulation adopted by the European Parliament in 2016 but enforceable throughout the EU in May 2018.

Why regulation on data protection?

As economy becomes increasingly digitized many companies hold highly sensitive customer personal information and they also obtain info from various sources to study customer behaviour which all is associated with significant risk if data is stolen and abused.

It applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU, regardless of whether the business organisation is located within the EU.

Also, as awareness for value of analytical user’s data, artificial intelligence (AI) and machine learning becomes stronger in recent years, and storage space is becoming more affordable, digital service providers are encouraged to collect more and more user’s data.

For example, in recent study (2017) published in The Guardian, on journalist’s insisting request mobile dating app Tinder has extracted 800 pages of user’s data (in just 3.5 years of app usage). This is just to show you size and impact of possible data risk if such important business aspect is not regulated.

What covers GDPR?

Basically, GDPR specifies how consumer data should be used and protected. To fully understand the regulation, you need to understand some of the terms: data subjects (information related to natural persons – customers), data controller (entity that determines the purposes, conditions and means of the processing of personal data) and data processor (entity which processes personal data on behalf of the controller).

GDPR covers 7 main areas which are:

  • Consent – all terms & conditions should be easy to understand, consumer friendly and with minimal legal jargon
  • Breach notification – in case of data breach, data processors must notify their controllers and customers of any risk within 72 hours
  • Right to access – data subjects have right to obtain electronic copy of their personal data for free from data controller
  • Right to be forgotten – when data is no longer relevant to its original purpose, data subjects can have the data controller to erase their personal data and cease its dissemination
  • Data portability – allows data subjects to obtain and reuse their personal data for their own purposes by transferring it across different IT environments
  • Privacy by design – calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures
  • Data protection officers – professionally qualified officers must be appointed in public authorities, or organizations that engage in large scale (>250 employees) systematic monitoring or processing of sensitive personal data.

But main reason why there so much fuss about GDPR is the financial penalty for non-compliance which can go up to €20 Million or 4% of global turnover (whichever one is greater), which is something unseen before and puts it as strictest data security framework in the world.

Certainly, many businesses will see GDPR as significant restriction on commercial data use, also possibly monetization, and undeniably as an extra compliance spending. However, at same time, this regulation strengthens customer’s trust and confidence which may rise in adoption of many digital services and thus (easily) compensating for compliance cost.

GDPR seems like logical and necessary step to legally safeguard data security rights in this highly digitized world. And while initially it may look like unnecessary burden, in years to come it may easily show up as necessary foundation for future services.