The new General Data Protection Regulation (or GDPR) does more than creating yet another EU rule, it changes the equation for how your data will be handled – especially if you live anywhere in or near the EU (sorry Brexiters) or do business with it. This new regulation has been passed, approved, and is coming into force in one year. Before then, some countries such as Germany have just passed their own data protection laws which will bring in the EU-wide regulations into play at the local level more quickly.
Mom (the EU) has laid down the law.
When it comes to data security, we are in that special time between when Mom has said that there will be data order in the house and that deadline of when the house must be clean. The official Regulation entered into force on May 24, 2016, and applies on May 25, 2018. This means businesses have exactly one year to get their digital house in order before Mom comes home, raises Cain, and starts waving around the mixing spoon. Even less time if you are in Germany. No, you can’t Brexit your way out of this one.
Data protection in an eggshell.
The EU has stated two primary objectives with this new regulation. First, give its citizens control over their personal data. Second, simplify and unify the regulatory framework for businesses. For consumers, it means that they will have a greater say in how their data eggs get cooked, sliced, and diced. For businesses, this means getting ready now — if they are operating within the EU or have customers there.
Ten eggs, not a dozen.
By putting a cohesive package of data rules together, the EU has slowly moved to replace the current hodgepodge of rules. Not only will this help create a Digital Single Market, it also sets up the rules for any businesses outside of the EU that want to do business with EU citizens. It is really a much bigger deal than just the EU.
There will be crying over dropped eggs.
Companies that work with or process your private data will be held responsible for it – telling Mom that the data controller did it will no longer be enough. So if there is a data breach, there are multiple layers of accountability. Spanks can now go all around.
Go ahead, complain about that fried green egg.
You will be in a much better position to complain about how your data has been mishandled and processed. This ability includes collective redress, the European-style variant of an American class action lawsuit. The ability to file for collective redress will magnify the collateral fallout from data breaches, ensuring press coverage for an extended length of time. So while the direct financial penalties have been upped, so have the PR disaster scenarios.
Erase that bad yoke.
The regulation says that people can demand that their personal data get erased – not just “forgotten.” How this will work in practice and what constitutes “undue delay” remains to be seen.
How do YOU want that egg?
A simple reminder that your data is being collected with a wimpy opt out option will not be enough. Under the new regulation, you have to opt into the data collection scheme in addition to being informed of your rights. With a year on the clock before this regulation is completely in position, it is high time to think about your data — and how to keep it to yourself.