On the 27th of April 2016, the European Parliament and the Council of Europe signed the General Data Protection Regulation (GDPR). This law basically states that it should be crystal clear to all EU users what data companies, organizations and websites collect about them and how its processed. The new rules apply to all EU service companies, from Facebook and Google to the local soccer club and dentist.
Firms are strongly pushed to examine the way it deals with personal data.
Fines for violating the regulation are quite hefty, with a maximum of €20 million or 4% of global revenues, depending on which is the highest. The good thing about this is that firms are strongly pushed to examine the way it deals with personal data and thereby give consumers more insight and right to decide what happens with their data. In an age when we share more information with Facebook than our own parents, its crucial to rethink the way our privacy is protected.
Consumers will have to proactively make their data available through an opt-in, by which a certified digital person is created. This requires an authentication tool of a sufficiently high level. For online shops, this is a good chance to reduce fraud. The customer can no longer log in with, for example a Facebook profile which is easy to feign, but have to use certified data. As the new rules provide more certainty about the identity of the customer, a more personal interaction, without control questions is possible. In addition, transactions become a lot simpler, because of this certainty of the customer identity. With the need for a lot less credentials or accepting cookies, the user experience considerably improves.
This is a first step towards a world where a strong privacy protection is the norm.
The law is designed to increase the harmonization of national data protection laws across Europe. Before every country had their own rules concerning data protection, with corresponding varying fines. GDPR introduces a single legal framework that applies across all EU member states. For firms this means less hassle crossing borders within Europe, as the same set of privacy rules apply in all EU countries. Besides, this is a first step towards a world where a strong privacy protection is the norm. It creates a level playing field in that companies outside the EU providing goods and services to Union members will be required for the first time to follow the same rules for doing business within the EU. Europe hopes that this will result in a global self-evident standard for data protection.
A school, for instance, has to provide a decent amount of funds to meet the new rules, as they never really paid attention to this topic before.
Even though this all sounds promising, there is another side to the coin. It is going to be quite hard to effectively implement the regulation. Due to the complexity, it is difficult for companies to know whether they are fully compliant. For big companies like Facebook or Google this is probably not too much of an issue as they have many lawyers and technicians they can use to assure compliance. It is mainly the smaller companies or institutions, who are struggling to be ready for the new regulation by the 25th of May. For them it is hard to know how and whether they comply to the GDPR, as they do not have the same resources and knowledge available as the large companies do. A school, for instance, has to provide a decent amount of funds to meet the new rules, as they never really paid attention to this topic before.
Besides that, the regulation might tone down competition and innovation. As the costs of compliance are increasing barriers to entry and therefore reinforce industry incumbents rather than encourage new enterprises. The raising of legal risks and limiting of data flows will restrain innovation and development of the artificial intelligence industry in Europe.
We noticed that it is a hot topic among many study associations.
As our association itself also falls within the scope of this regulation, the current secretary will shed a light on GDPR and how he will assure compliance. As Carlijn mentions, Risk is also subject to the GDPR. Risk has always been active with the protection of personal data. However, it was not very clear from the start what we would have to do to be compliant with the GDPR. Together with the treasurer, we took responsibility for the new regulation. We have visited several presentation by various organizations on the impact of GDPR. We noticed that it is a hot topic among many study associations. Now that we have a clearer view on the impact of the GDPR, we are mapping our data flows and are increasing the transparency in order to be compliant on the 25th of May.
All in all, we have to wait and see what happens once the law officially comes into force. If small business are not able to meet the new rules in time, will they be ruthlessly punished for breaking the law? Or will this regulation slowly, but steady, ensure data protection for every world citizen?