GDPR short for European Data Protection Regulation espouses a new set of rules and regulations to guide how customer data will be handled for companies operating in Europe.
What does it mean in simple words?
Every facet of our online life be it doing banking transactions online or accessing health records or posting a status update on a social media network revolves around exchange of data.
Companies have access to personal data which they use to enable us carry out online conversations and exchanges.
Probably, that’s the reason why entities like Bitcoin are surging in popularity— an entirely anonymous currency.
With this legislation now in effect, people living in the EU have more control over their personal information.
Passed in 2016, the resolution gives teeth to people fighting against malpractices purported by companies manhandling user data.
Countries within the European Union will fall under the purview of the new law along with UK.
Even if you’re a European citizen and reside outside the EU you still can enjoy the benefits provided by these new regulations.
The new rules come in face of increased accusations and events where consumer data was compromised or irresponsibly accessed. The most recent example pertains to Facebook.
In other countries compliance often doesn’t go beyond secrecy in medical records and rules pertaining to how well they’re stored.
Presently, who should comply with it?
GDPR applies to any and all organizations operating within the EU and all organizations operating outside EU that offer services or goods to EU citizens.
The legislation has divided the companies into two big categories ‘processors’ and ‘controllers’.
Starting May 25, 2018, GDPR has come into force and all companies falling into the above two categories must mandatorily be compliant.
The estimated cost savings by having a uniform law that extends to all member states will save 2 to 3 billion annually.
In effect, GDPR allows people to ask companies how their personal data is being used and also empowers them to ask these companies to delete this data if needed.
Personal data refers to data like your name, email id, IP address and information that could be used to trace back to your real identity.
In addition to that, GDPR empowers customers to disallow their data being used to target them in online advertisements.
This also stops retargeting ads from targeting you and stop those annoying ads that seem to dog you everywhere online.
As a spill-over from the regulations, companies are extending the data protection facets to customers even outside the EU. Especially companies that base their operations from the EU.
Considering the lax manner in which companies handle sensitive user data and taking into account the number of data breaches that keep occurring throughout the years, a regulation such as these would lead to lot of power in the hands of the user.
Just consider one example.
With the advent of these new data protection laws, the sheer scale of data grabbing and misuse faces the light of the day.
Complying with the regulations, the Huffington Post, revealed how many third parties have access to the data that’s generated on Huffington Post.
There were at least 112 partners on the list to whom the Post sends information concerning users to enable these partners to target users online.
Other advertising partners don’t exactly fall into the first list but have contractual agreements pertaining to the use of data.
With GDPR now effective, users can exert control on if any of these partners gets sent data and if the user so chooses he/she can block all of those partners from receiving any data.
Even smart devices like televisions and toothbrushes can collect and send personal data and connect to web addresses and transmit location data.
GDPR puts the data gathering to scale. Customers didn’t realize the true scale at which their information was getting harvested and then thrown back at them in the form of personalized adverts.
Facebook on the other hand, allegedly maintains data sharing relationships with at least 60 device manufacturers with Apple, Samsung and few well known names at the helm.
Such transparency reveals the true horrors of data sharing arrangements that the public until recently wasn’t privy to.
How they choose to exert it is up to debate.
GDPR ensconces within itself a right called the right to be forgotten executing which customers can ask these companies to get all of their personal data removed for ever.
With this new right companies are also required to provide customers easier access to their own data.
You may have seen a lot of emails recently informing you on how to access this data and the new policies that are in agreement with GDPR.
The emergence of scams
With lots of emails doing the rounds from so many companies it’s easy to get confused and lost.
You’d be probably asking yourself if you ever signed up to these companies at all.
And in some cases you might be right.
There have been instances where criminals posing as representatives of AirbNB mailed users of the site and told them that they won’t be able to add new bookings until they clicked a link.
The scammers carried on the scam by mentioning EU regulations and then asked personal details and credit card information.
That’s good news.
Under the rules any breach leading to a leak of customer details is a cause of concern and should be immediately made public and reported within 72 hours to the regulatory agency.
Again, just because new regulations have made their presence doesn’t mean that all companies are readily equipped to help users with the new features and demands.
Companies are still playing catch-up and would probably do that for some time.
Here are some examples of non-compliance and problems that keep arising as companies try wrapping meat around the idea.
Like the recent Cambridge Analytica debacle.
Carelessly using the data or misusing the same can result in fines to the tune of 20 million euros or up to 4% of a company’s global revenue.
It isn’t immediately clear if the law mandates the same but it’s clear that most companies want to stay ahead of the curve.
Other analysts call it a power play with most ruling agencies seeking to reduce the power that companies Like Google and Facebook exude.
Coming to those two giants- one in the search space and other in the social media space.
One Day one of GDPR implementation: both sites were sued for $8.8 billion.
The case was filed by a social activist Max Schrems who argues that both companies are far from anything that provides a semblance of being GDPR compliant.
His argument is based in fact. GDPR requires that companies seek explicit permission from users before they get access to their data.
What they currently have is a platform that blatantly refuses to do so. This goes on even as Mark Zuckerberg does the rounds of several parliaments clearing up his stand on the Cambridge Analytica data breach.
Some other companies have decided not to offer any services to users based in the EU at all.
One things for sure. Clarity on the implementation of new regulations hasn’t emerged with many details still remaining hazy at large.
Personalization through contextual targeting is making a comeback cites one article.
The way marketers advertise is changing. In order to not take any risks with advertisements most advertisers are ditching advertising techniques that employ lot of data and delve down based on target audience interests, ages, demographics and personal information.
Instead they’re switching the gear in favour of something else something older.
Contextual targeting is gaining favour where advertisers target audiences based on the context of what they’re reading.
It seems like behemoths like Facebook and Google who make their bread and butter by monetizing personal data are reigned in courtesy of fear of compliance.
That being said still 8 EU countries have done nothing to change their laws to reflect the new legislation which is irksome.
As some countries move to the new law and others take their time to do the same, uncertainty prevails and looms large.
It’s difficult for companies to comply with uncertainty in what they’re do and that might hinder progress.
Let’s consider the case of India.
Of late the vast nation has made Aadhar, national identity card mandatory for all her citizens. The card ensures that citizens have access to government benefits and has turned into a mandatory document to open bank accounts, take telephone connections and avail subsidies.
But data breaches are common than ever.
Many times personal data pertaining to millions of Aadhar account holders was breached and posted publicly. In other cases, data pertaining to millions of users leaked from services that employed Aadhar, for instance telecom accounts was posted publicly for sale.
The government has meanwhile denied all reports on the fragility of the current ecosystem in protecting personal data of millions.
Perhaps they’ll come with stricter protocols on how this data is being harvested and limit access to services pulling this data from the UIDAI database.
What do you think of the new data protection laws? How have they been affecting you?
Do let us know.