- Leah Millis / Reuters
- The EU is implementing major new data privacy regulation this week.
- It affects any company that processes EU citizens’ data, regardless of whether or not the company is based in the EU.
- The GDPR has sent Silicon Valley scrambling to keep up – here’s what you need to know.
New regulations in the European Union are making a major headache for Silicon Valley.
Tech companies are currently scrambling to get ready before May 25th, the date that will see the implementation of a major new piece of European data privacy legislation: GDPR.
Here’s the quick-and-dirty version of what you need to know.
It stands for General Data Protection Regulation.
So what actually is it?
It’s a major new piece of European regulation that addresses how EU citizens’ data can be used by corporations, introducing strict new rules around gaining people’s consent to process their data. It was approved by the European Parliament in April 2016, and it’s finally coming into effect in May 2018.
So what does it mean in practice?
GDPR furnishes Europeans with a number of additional rights when it comes to their data.
Companies need to ask customers for their data in a clear and accessible way. Those customers will have the right to demand organisations delete their data when asked. They will be able to ask for information on how and why their data is being processed. They will also be able to request copies of their data in a machine-readable format so they can take it elsewhere.
And if a company that holds their data realizes it has been breached, it must, in some circumstances, inform people within 72 hours.
Who does it affect?
Any organisation that is handling Europeans’ data is affected, regardless of where it is in the world. Even if a company has no offices in Europe, and its employees have never set foot on the continent – if they’ve got EU data, they’ve got to play by EU rules now.
When exactly it it happening?
GDPR will come into effect on May 25 – actor Cillian Murphy’s 42nd birthday, and the seventh anniversary of the last ever episode of “The Oprah Winfrey Show.”
And what happens if companies don’t comply?
Organisations in violation of the GDPR won’t just get a slap on the wrist – there are some serious potential penalties. A company in breach of GDPR can be fined up to 4% of their annual global turnover (i.e. not just revenues generated in Europe) or €20 million, whichever is higher.
Are people ready?
A lot of them aren’t.
Many US companies haven’t realised that GDPR applies to them even though they don’t have a physical EU presence, Kris Lahiri, chief security officer of enterprise file storage company Egnyte, wrote in an email to Business Insider in April – and even some of those that were aware of the issue didn’t necessarily “realize the amount of work it was going to take in order to be GDPR compliant.”
It’s a big deal, and dramatically changes how companies need to approach data. “The status quo has been completely re-defined,” he wrote.
“Previously personal identifiable information, or PII, was defined as data such as e-mail addresses, social security numbers, bank accounts, etc … PII has been extended to cover any data that can be used on its own or in conjunction with other other data to identify someone, i.e. IP addresses, fingerprints, retina scans, and much more. That alone is a significant change for companies as their basic scope of classification and governance over data needs to grow substantially,” wrote Lahiri.
Why are companies making such a fuss about complying?
For some companies, becoming GDPR-compliant isn’t just a matter of just toggling a few settings: It may require a significant overhaul of their internal systems.
“Many companies are still using legacy infrastructure, such as handwritten records or tape storage, which makes compliance extremely difficult under those circumstances. Thus, in order to comply with The Right to Be Forgotten, many businesses are being forced to modernize their infrastructure to create more manageable processes and protocols,” Lahiri said.
What sort of changes are companies making?
With only days to go, companies are moving to make sure they have consent to hold the data they do. Many mailing lists are asking European users for permission to keep emailing them, while apps are making people provide explicit permission to use their data.
Facebook, for example, has been prompting users to agree to how it wants to use their data – but has also been criticized for not providing users with a clear yes-or-no choice, with some experts suggesting its prompts might not be GDPR-compliant. (Facebook has previously said it is working to ensure it is GDPR-compliant by the deadline.)