If you’ve found your email inbox to be more clogged than usual in recent weeks, you can blame that on the General Data Protection Regulation (GDPR), also known as the world’s strictest online data protection rules.
You might think these regulations are a result of the recent Facebook-Cambridge Analytica scandal, but actually, this is a major undertaking four years in the making. GDPR was adopted on April 14, 2016, after being deliberated for two years and was officially enacted just last Friday, May 25. However, the aftermath of the Facebook scandal has users demanding transparency in regards to their data more vigorously than ever before.
So what’s the big deal? Why the profusion of emails?
First of all, this is no minor change: the GDPR is 56,000 words and 88 pages long. It contains a number of guidelines that require companies to be far more open with their users than they have been in the past. Specifically, these rules include things like notifying regulators within 72 hours after a data breach and explicitly obtaining consent from users before collecting any personal data.
The biggest shake-up, though, is the new right to place requests for data subject access. Residents of the European Union can now ask companies to show them all the personal information they have on file about them, but it doesn’t stop there. They can also ask for this information to be edited through deletion and correction. This will be more difficult than it sounds, as companies may have to scrounge up this information from several different servers and formats, and they don’t have much time – these requests must receive a response within 30 days. If they don’t, users have the ability to file a complaint with a local regulator.
Regulators don’t have the option to abstain from delivering consequences for noncompliance, so any companies that don’t follow the rules will definitely be punished, but as of now the severity of those penalties is unclear. The only thing we know is that companies can be fined up to 4 percent of their global revenue or $20 million (whichever one is higher). This is well within the realm of possibility for larger businesses, but it could be a death blow for small or even mid-sized companies.
Although these regulations technically apply only to the European Union, many American tech organizations must accommodate the new rules as well, as they often do business in Europe. Those American enterprises that don’t necessarily need to adopt new standards likely will nonetheless because it’s more practical for businesses to maintain consistent practices internationally.
In fact, we’re already witnessing the impact of the GDPR trickling into American institutions. For instance, The Washington Post introduced a “premium” EU subscription that allows readers an ad-free experience at a higher price than a normal subscription. In addition, California has proposed a heavily GDPR-influenced law called the California Consumer Privacy Act that will be voted on in November. California carries a lot of clout in the U.S., so it will be interesting to see if the state will lead the charge to enact similar legislation across the country.
As for other countries, Japan, South Korea, and Brazil seem to be making moves to put in place stricter data regulations of their own.
Besides speculation, there are already tangible effects from the GDPR. It rolled out with a bang when, on its first day, Google and Facebook were slammed with lawsuits equaling $8.8 million for attempting to tiptoe around the new rules. Their idea of obtaining explicit consent for the necessary changes to their policies was asking users to tick a box. This lack of flexibility violates the GDPR’s mandate for specified approval, and regulators are making an example of this noncompliance.
No one can predict the full extent of the effects GDPR will have on businesses, the internet, and the data privacy of the general public. But here are three things you can do right now:
- Check out the wealth of GDPR memes and jokes, because they are hilarious and because they might remind you what a wonderful place the internet can be. Here’s my personal favorite.
- Take this time when it seems like companies are coming out of the woodwork to send you emails about their new privacy policies as an opportunity to mass-unsubscribe.
- Listen to this Spotify playlist. It’s brilliant. Trust me.