The GDPR has a number of requirements, but since it affects companies outside the EU is undoubtedly its most broad-reaching (and beneficial) effect. For companies that provide data services to both large and small businesses, an additional side effect is that even small companies will (via services providers) do a better job of protecting your data.
Historically, data protection for U.S. consumers has focused on personally-identifiable information (PII), which includes the obvious personal information such as name, address, date of birth, and Social Security Information, but also other information like your genetic information, face, and fingerprints. In 2011, the California Supreme Court ruled that your ZIP Code is also PII, in part because 87 percent of the U.S. population can be identified by sex, date of birth, and ZIP Code. The GDPR expands the types of information, which must be protected by companies.
The GDPR also regulates the process companies use to obtain consent to collect your personal information: they must use clear language to describe what data they are collecting and how it will be used, and your consent must be affirmative. Of course, clear language is a subjective measurement, but hopefully an improvement on the overly-brief or incredibly Baroque language consumers often face. The regulation even requires companies to get your consent again if they change the what and why of data collection you previously agreed to.
For those of who’ve been victims of a data breach, the GDPR makes it mandatory to notify users of a breach within 72 hours of discovery. (In the U.S., that makes about half of us, thanks to last year’s Equifax breach of more than 145 million people.) This is quite a shift, when you consider it took Equifax 41 days to notify those affected.
I mentioned that many companies use third parties to provide online services. In the past, these service providers were not directly liable, only the company using them. The GDPR changes this so liability extends to third parties as well. Since the GDPR has only recently gone into effect, the full effect of this provision may take some time to materialize, but it should be of concern to you if you hold personal data on EU citizens (or anyone else) on behalf of another company. “Consult a lawyer” is the standard answer, though your lawyer may not be up to speed on GDPR. In any event, regulations of this sort are a boon to members of the legal profession.
Aside from its scope, the most far-reaching aspect is its provision for the “right to erasure,” also known as the “right to be forgotten.” In short, it says you have the right to request that a company delete all the information they have about you. More important, perhaps, the company receiving such a request must comply “without undue delay.” There are some exceptions. For example, banks have legal requirements to keep some data for seven years, so it’s worth understanding the specifics of this part of the GDPR.
The GDPR represents a massive headache for company IT departments. Fortunately, companies have had a couple of years to prepare, but it’s a near-certainty that some companies have not yet addressed the changes necessary to allow for prompt notification of breaches, let alone the ability to delete all the information related to an individual person. And some companies, such as the Los Angeles Times, have chosen to block users from the EU to avoid the need to comply.
As with all regulations, lawyers read them and take their best guess about what actions constitute compliance for their clients. Nothing is ever really decided until a case ends up in court. To quote Carl Gottlieb, The GDPR Guy, “The key is to focus on what your rationale would be if you were stood in front of the regulator or a judge in court. Would you be confident that you had a justifiable position on doing the ‘right thing’ by the data subjects, doing the best you could and had given this enough focus and documented thought?”
In the meantime, if you collect and use personal information, especially from EU citizens, get up to speed on GDPR requirements and its potential impact on your business.
