The General Data Protection Regulation (GDPR), which has now come into force, has a primary aim of strengthening the data rights of European Union residents. Moreover, it helps harmonize data protection laws for member states. The GDPR meets its objectives by imposing fines for entities that misuse user data. Astonishingly, the Regulation’s data breach fines can reach 4 percent of annual turnover for a business, or €20 million (approx. $23.4 million USD), whichever is higher. Organizations are now more than willing to disclose information about the data such as details about the data that is being collected and how the collected data is used.
Many users have enjoyed the benefits in conjunction with online services in exchange for personal information, such as names, contacts, political leanings, and so on. In some cases, organizations collecting such details from people provided terms and conditions and opt-out checkboxes for users to consent to the usage of their data. However, there have been negative consequences from handling such personal data. For instance, the recent Facebook Cambridge Analytica scandal revealed how personal information can be misused. In addition, in 2017, Vizio was fined a total of $3.7 million USD by the FTC for improper use of data collection practice. Vizio was tracking user functionality of more than 11 million internet-connected TVs without the user’s knowledge and sending the logs and data back to the servers at Vizio.
Seemingly, GDPR is the most stirring data privacy regulation since the introduction of the Internet, and its impact has been felt globally. The Regulation became effective on May 25, 2018. However, despite businesses having been given 24 months to ensure compliance, most of them did not act in time, and others are still struggling with the requirements.
On the other hand, people across the globe have been receiving requests from websites asking for their approval for the collection of cookies, which are sent using cookie banners. Expectedly, the banners will remain intrusive as persons are required to give an affirmative act. Additionally, people are receiving a near-constant flood of emails about updated privacy notices that require them to reconfirm consent. Users now have the right to choose if they are comfortable with sharing their data or opt out. In most cases, a majority of persons will opt-in or approve such requests to continue enjoying their favorite sites, but they are all asked to give their consent before continuing.
Tech giants, such as Facebook, are working to meet GDPR requirements with the introduction of the ‘Clear History’ function that allows users to identify apps and other third parties that send Facebook information and clear their data. The function also allows consumers to disable the social platform’s ability to store their personal data.
Another notable impact of the Regulation has been witnessed in the news industry. Currently, some United States newspaper companies do not allow European Union residents to access their websites to avoid breaching the Regulation, which could cause a huge financial penalty. For instance, Tronc, Inc., with a portfolio that includes the New York Daily News and the Chicago Tribune, among others, has blocked the readers in EU region. Lee Enterprises owns several newspapers and publications and has followed a similar approach of blocking EU readers for “legal reasons.”
Fearing complaints of non-compliance, some companies have exited EU operations entirely. Others are modifying their models before re-establishing their activities in the region. For instance, Pinterest’s Instapaper has been declared as ‘temporarily unavailable’ non-operational, while USA Today offers ad-free services to the EU market to remain compliant.
The GDPR has affected the gaming industry as well. Gamers in the EU are protected under the GDPR while playing online or posting in forums. While the gamers have a better idea of what information about them is being collected, it takes a toll on certain companies to comply with the Regulation. For instance, the 16-year-old online game, Ragnarok, and free-to-play game, Loadout, discontinued their services in the EU on May 25th due to rising cost associated with new European regulations.
Enhanced cybersecurity is another notable effect of the GDPR. Since its enactment, many companies have hired experts to prepare for the Regulation. They include chief information security officers and data protection offices, who are now in high demand from firms that aim to remain compliant to avoid harsh penalties.
The GDPR has also inspired the creation of similar laws in other regions. The standard is becoming a global norm, with other policymakers creating new laws or modifying existing legislation. For instance, California’s Governor signed the Consumer Privacy Act on June 28. After it takes effect, the law will require that organizations reveal to state residents what information they are collecting and how it will be used. Likewise, the law will allow users to request companies delete their information.
At the same time, there has been a sharp increase in complaints as reported by European regulators. This trend reveals a public concern of the new Regulation. The United Kingdom’s Information Commissioner’s Office has confirmed that there has been an increase in breach notifications and data protection complaints from organizations. In Austria, more than 100 complaints and 59 breach notifications have been filed under GDPR. In France, complaints have increased by more than 50%, compared to the same period in 2017. Some of the complaints are targeting giant tech companies, such as Facebook and Google, which are being accused of forcing users into affirming consent for data processing.
Ultimately, both positive and negative rhetoric surrounds the GDPR. It is apparent, however, that companies will continue taking the Regulation seriously, which includes following reliable cyber security and data protection measures. The GDPR offers a chance for businesses to refocus information security and governance efforts to enhance data protection. With stricter regulations such as GDPR, the evaluation of a company’s need and reasoning behind retaining data has to be re-evaluated. Mapping this data and trying to evaluate the purpose of this data collection will encourage a more rigorous and discipled treatment of personal data. The company will also have to evaluate the security measures around the handling of personal data and establish additional procedures only through which compliance with GDPR can be achieved.