Information privacy and how it is treated on the Internet has been in the news a lot. From data breaches to companies selling their customer’s information to data mining scandals like Cambridge Analytica, the privacy of our data and how it is treated on the Information Superhighway has never been more relevant here in the United States than ever. The same can be said in the European Union with one exception, the European Parliament in Brussels has done something about it.

The GDPR

Regulation 2016/679 was passed in April 2016 (otherwise known as the General Data Protection Regulation) and goes into effect on May 25 or this Friday. This regulation contains provisions and requirements regarding the processing of personal information of residents of the European Union (EU) member states. Businesses in the EU or those who do business with EU citizens are now required to handle personal data using the highest level of safeguards. The goal is for no personal information to ever be available publicly without that person’s consent and the information that is made available cannot be enough to identify someone.

Personal information can only be processed in a manner specified by the regulation unless the person has given their consent for the information to be made available to the public explicitly (and it does need to be explicit) and this consent can be withdrawn by the person at any time. The processor must also disclose what data is being collected, how it is being collected, why it is needed, how long it will be retained and if it is to be shared with anyone else. Data can only be collected if certain strict requirements are met.

For businesses that process personal data they will be required to have a Data Protection Officer that will be responsible for managing and compliance with the law. All data breaches must be reported within 72 hours if they affect user data.

What is personal data?

The EU considers personal data to be “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address.” These rules apply to each member state of the EU. Failure to comply will result in anything from a written warning, increased audits or fines up 4% of their global revenue or €20 million ($23.5 million), whichever is higher.

Not just something for Europe

The Europeans are well ahead of us here in the United States on many things from electric vehicles to credit card security. It should be no surprise that they would also be ahead of us regarding data privacy as well. The reaction from businesses has been mixed, with about half seeing benefits that will come from this and the others feeling that nothing will change. For many businesses it has been and still is a struggle to meet lofty compliance standards. In the UK for example businesses are not required to disclose data breaches but despite the UK leaving the EU any British company that does business with the EU will need to meet compliance. The same can be said for companies around the globe as well.

Sometimes a change is needed and sometimes it takes government oversight to bring those changes about. Given what has happened in the past 2 years most people would agree that more needs to be done to not only protect a user’s data but to control what information is stored as well as what is done with that information. It has been a challenge in the EU to get this far but here in the US the struggle is just beginning.

Comments are closed.

Scroll to Top