You’ve probably received a number of emails recently from companies advising you that they’ve recently updated their privacy policy.  It isn’t a coincidence that they’ve all decided to do this at the same time.   The European Union (EU) is rolling out a new policy called General Data Protection Regulation (GDPR).   It’s designed to protect the personal data and privacy of EU citizens that is collected by businesses over the Internet.

Even though it coincides with the recent scandals at Facebook, it’s not a new move by the EU.  It was actually adopted by the European Parliament in April 2016 and it replaces a previous outdated policy called the Data Protection Directive which was introduced back in 1995.

So, what exactly is it?  Well it’s designed to protect the personal data that online companies store about you.    Any organization who has EU citizens as their customers has to comply, even if they’re not actually based in Europe, so this is affecting businesses around the world. And it doesn’t matter how big the business is, the same rules apply to large enterprises and small businesses.  The only organisations excluded from GDPR are national security or law enforcement.

The new rules took effect on May 18th2018, and include the following:

  • Individuals can request that a company deletes any personal data held.
  • All businesses have to delete personal data when no longer relevant
  • Any data that has been collected without consent must be deleted
  • All data used illegally must be deleted by law
  • Any data deleted, must be made unrecoverable by potential hackers

Large businesses are required to employ staff dedicated to enforcing these new rules.   And the penalties for not meeting the new rules are severe.   You could be hit by €10,000,000 fine, or 2% of your annual turnover.  More serious breaches could reach €20,000,000 or 4% turnover!

Any breach of data, for example if hackers break in and steal information must be reported to both authorities and end customers.   There have been a number of hacks recently where it’s taken a while for the companies involved to announce the breach, so this should help.

While this is all good for the end customer, it’s potentially a lot of work for business to implement.   Some large businesses have taken the option of pulling out of the EU completely, by blocking EU customers from using their service.   For example, Pinterest’s new-clipping service Instapaper has blocked all EU customers from accessing its platform.   Pinterest’s chief, Brian Donohue tweeted “Unfortunately true. We are working very hard to resolve it and restore service for EU users as soon as possible”.

Another example is Unroll.me, a service which was designed to remove clutter from your email has also pulled out of the EU.

Large businesses have been rushing to provide easy access to your online data.   Companies such as Facebook, Spotify etc have now implemented new pages which give you easy access to see the information they hold about you.

Hopefully this new transparency, and the rules around deletion of data will mean that recent scandals where your personal data was being used without your knowledge will become a thing of the past.   A renewed focus on the importance of personal data and how it’s used can only be a good thing – let’s hope that countries outside of the EU take heed and implement similar policies soon too.