It has been almost a year since the European Union (EU) implemented the General Data Protection Regulation (GDPR). Put in place to help regulate how businesses gather, store, protect, and share data from citizens of the EU, the GDPR is working to further improve data protection and consciousness among many organizations outside of just Europe. Since May, the number of complaints about data breaches has steadily increased, and privacy is now seen as more of a human right than in the past. It seems that under these stricter sanctions, data protection is moving in the right direction. However, the recent news of Google’s data abuse fine is bringing to light the demand for companies to better understand what changes need to be made under the GDPR. In order to continue the progression towards better data protection, organizations worldwide must either start educating themselves on how to comply with the regulations or further improve their own data collection procedures and put the privacy of their consumers first.
Before the GDPR there was the Data Protection Directive (DPD). This directive was implemented in the 1990s and shared the same basic principle as the GDPR: people have ownership over their personal information. The biggest difference between the two was a directive (DPD) versus a regulation (GDPR). While DPD was originally meant as a way to protect individuals’ data, it become outdated over time. Being that it was simply a directive, the DPD was interpreted differently across the EU, eventually leading to a period of inconsistency and confusion among various countries.
Flashing forward to May 2018, the GDPR was created and maintained some similarities as that of the DPD. However, having mandated regulations on companies’ data use practices meant that changes would have to be made in order to avoid violations and fines, as the GDPR does not leave room for interpretations as previously seen with the DPD.
Even though the GDPR was implemented in Europe, some US companies have been on high alert and have prepared accordingly, while others have done little to nothing to make necessary changes to their private policies. It was not so long ago that the Equifax data breach that resulted in over 140 million consumers’ personal information, including credit card numbers and drivers’ license numbers, to be accessed by hackers, took place This breach was due to the company’s lack of upkeep on their security systems, as well as an absence of transparency about the damage that had been done. The scandal happened in 2017, a year before the GDPR was implemented, but some of the key factors in the case were not unlike those of Google’s recent infractions.
The facts of the Google case are extensive, but the basic premise of the scandal is misuse of data and lack of transparency/valid consent from Android users, which resulted in a fine of 50 million,the highest the GDPR has issued so far. Just like the Equifax breach, failing to be transparent with consumers causes much more harm than good, and seeing an internationally recognized company at the center of the biggest privacy scandal since GDPR implementation only increases the significance of GDPR compliance.
As mentioned above, the US is not under the exact privacy restrictions that the EU is, however, it is still vital that organizations continue to take action in order to avoid future fines. Most importantly, organizations should ensure transparency among consumers when it comes to data collection and use, as this was one of the reasons for Google’s major fine. In addition, obtaining proper consent is just as important maintaining an air of transparency. The last measure US companies can take to avoid violations is to make sure they are doing business with vendors, other companies, etc. who are also GDPR compliant.
In the case of certain organizations, the regulations under the GDPR specifically may not be as much of a concern, however, stricter privacy mandates are making their way into the US. California recently passed a digital privacy law, which allows consumers more insight into how their personal information is being used, according an article by the New York Times. The California Consumer Privacy Act (CCPA) is not as extensive as the GDPR, but companies could benefit from putting into practice the steps mentioned above to maintain GDPR compliancy, as this will hopefully help to avoid fines as more states pass their own privacy regulations.
While there are still many questions about the GDPR and its overall effect on the technology industry, it is still important to understand the basic principles and regulations that were put in place nearly a year ago. Recognizing the differences between the DPD and GDPR, for not just the EU but also the US, is the first step in avoiding a violation. Making sure to be as straightforward as possible when it comes to data collection among consumers will prevent companies from being in a similar situation as Google and will also aid in protection as similar laws, such as the one passed in California, are introduced in the US. Overall, the GDPR is meant to preserve consumers’ basic human right to privacy and to protect their information from data breaches in the future, and the hope is that companies around the world will continue to improve their data collection procedures as a whole.