If you aren’t familiar with the General Data Protection Regulation (GDPR) yet, it’s about time you get familiar. The GDPR, which was approved in the European Union in April 2016 and will go live on May 25, 2018, is the most ambitious set of privacy laws to ever be passed.
In the age of big data, the GDPR was designed to protect individuals and their right to determine how their data is used by companies that collect it.
In 2018 alone, we’ve already read about major data breaches involving companies like Equifax and Facebook. The GDPR works to protect an individual’s privacy and to hold major companies accountable for the data they are collecting about their users.
The Basics of the GDPR
Companies will now require the consent of individual users when it comes to data collection. If consent isn’t granted, a company will not be able to collect your data and if they abuse these laws the fines are substantial.
The legislation will directly affect “controllers” and “processors” of data.
What is a Controller?
A controller is any entity that states how and why data is collected and processed. For example, Amazon, Facebook, and Google are all controllers because they collect and control how the data is accessed, analyzed, and processed.
What is a Processor?
A processor is any entity that handles the processing of the data. In most cases, this will be IT firms that store the data and directly interact with it in some way.
With the rise of the Internet of Things, personalization, and other big data initiatives, the GDPR was a much-needed piece of legislation to motivate companies to develop secure systems for collecting, storing, and transferring user data.
Under the GDPR, individuals will now have more power to control how their data is collected and handled.
Here are just a few of the things you can do:
- A company will require a user’s consent before they can collect their data.
- Individuals can call on companies to delete their existing data as well, ushering in a new era of digital privacy.
- Consent for users under the age of 16 can only be granted by their legal guardians.
- Users will have the right to know how and where their data is being used.
Penalties for Violating the GDPR
While you may be thinking that it seems easy for companies to ignore these requests, the EU is already one step ahead. Companies that violate these types of requests will face major fines.
Failure to comply with GDPR laws can result in fines between 2-4 percent of a company’s annual revenue, or $20 million Euros, the total is based on whichever number is larger.
For larger technology companies, a fine this large is crippling and has prompted a large-scale response to the legislation.
The Authoritative Bodies in the GDPR
There are three main bodies that serve in an authoritative role under the GDPR. These bodies include:
- The European Commission: This body represents the general interests of the EU and consists of 28 commissioners and is responsible for enforcing EU laws.
- The European Parliament: Like other parliaments, members of the European Parliament are democratically elected and responsible for passing news laws.
- The Council of Ministers of the European Union: The different ministers are responsible for adopting legislation and dealing with budgets.
The Advisory Bodies in the GDPR
There are two advisory bodies in the European Union. These bodies include:
- Article 29 Data Protection Working Party: This body advises the Commission on data protection matters and data privacy issues and works to promote the GDPR across the EU.
- European Data Protection Supervisor: The EDPS is the main advisory body in the EU. They oversee the processing of personal data, GDPR compliance, and general regulations. They are directly responsible for handling complaints, monitoring new technologies, and general data privacy.
Does the GDPR Affect Non-EU Companies?
While the GDPR is enforced within the EU, any company that interacts with EU citizens must become GDPR-compliant or they may be fined under the new guidelines.
Most large American companies have already developed their own systems to make their companies GDPR-compliant.
When Facebook CEO Mark Zuckerberg testified in front of the House committee, he suggested that Facebook was going to automatically extend the new rights granted under the GDPR to all Facebook users.
The Creation of the Data Protection Officer
Since the initial announcement of the GDPR, companies have been scrambling to create systems to help them follow the new set of rules.
The data protection officer (DPO) is a direct result of the GDPR. Large companies have appointed DPOs in order to develop internal systems that will keep them GDPR-compliant.
Here are just a few tasks a DPO is responsible for:
- Developing systems and policies to keep a company GDPR-compliant.
- Training staff on acceptable data processing practices.
- Performing audits and addressing internal issues on a proactive basis.
- Communicating with the GDPR Supervisory Authorities.
- Maintaining detailed records about a company’s data collection and processing. These reports need to be readily available and made public if requested.
- Interacting with the public to keep them informed about how their company uses data, their ability to erase it, and anything else related to the data they are collecting and using.
The GDPR Isn’t Optional
Making your company GDPR-complaint may seem challenging, but it’s something all companies need to do before the legislation goes live next week. Whether your company is big or small, you need to take the right steps to become complaint.
Recommend is a GDPR-compliant personalization platform that falls under the processor label in the GDPR guidelines. We provide automated, on-site recommendations to your users as they browse online stores in order to boost conversions and increase user engagement.
If you have any questions about the GDPR, how we have made our company compliant, or the Recommend platform, you should contact a member of our team today.
The Recommend Team