GDPR – Privacy as a fundamental right and its impact
The stuff coming out about Cambridge Analytica and Facebook is scary, to say the least. People are to some degree responsible for putting their trust on these platforms that make money off of Ads that use their personal data to target them. The mood global is pretty evident with #deleteFacebook campaign and many organizations and celebrities boycotting Facebook which has been the center of attention for the last few weeks. The world governments need to act and EU is leading the way.
GDPR is a general privacy law protecting citizens of the 28 EU members. Many EU members have privacy laws already in place but largely these laws were not enforced. GDPR is not confined to any kind of personal data making it a much broader privacy law that will make it much harder for the data brokers, Ad tech companies to work with personal data of EU citizens.
The law mandates companies to really make it clear how the data flows, what information about the user they are collecting, get consent using means that is easy for user to understand, allow users to access and move the data they collect, right to the user to be forgotten; essentially allowing users to tell companies to delete their data and much more.
It will prevent information monopolies and will allow innovative data reuse. Toby Beresford, CEO @ Rise.global thinks LinkedIn might have to open up the API. But I think they already provide a data export that qualifies as machine readable. And there is enough ambiguity in the law that companies will use the approach LinkedIn already does to keep people to their platform.
Some companies already have plans to exit EU as a business. As they see this law as protectionist with expensive consequences. But some might not have that option as they have a sizable business in the EU that they wouldn’t want to lose for example Facebook.
Personal health data which will also come under this will become easier to move as companies will be forced to comply and allow users data portability. This might have a profound effect on health and health-related services. Jennifer Michelle from Michelle Marketing Strategies rightly points, “HIPAA compliance is not sufficient to ensure GDPR compliance”. HIPAA is a very specific privacy law dealing with patient data and patient privacy. GDPR addresses a much broader set of issues users face while dealing with companies that use their personal data.
Formulators of the law have put in a lot of work to improve data portability but Andries Van Humbeeck @ TheLedger.be points that it is resulting in an opposite effect in some ways to applications using the Blockchain technology. It would be difficult to build GDPR compliant apps on blockchain depending on how “Right to erasure” is interpreted.
As an engineering team if you are dealing with GDPR Bryan Soltis @ Kentico thinks, “your mettle may be tested”. You will have to really think about your data flows, consent forms and how you allow users to delete and export data and more.
Do you have to comply with GDPR as a US / UK or international company not physically located in the EU?
GDPR has extended reach. You don’t have to be physically located in EU. As an organization, you are required to comply as long as you are processing data of users in the EU.
Attorneys and software consultants like us have a business opportunity to help organizations across the globe serve their customers better by providing clarity on how they intend to store, process, transmit and use their data. You also seeing startups come up with products specific to the legislation. Databoxer.com makes it easier for companies to do GDPR consent.
When does GDPR take effect?
GDPR was enacted in 2016 but the deadline to comply is May 25, 2018. This was enough time for companies to get things in order. But we are seeing a lot of organizations late to the party.
Fines on Violations
An organization can get fined up to 4% of the annual global revenue from the previous year or 20 million whichever is higher. Keyword here is “revenue”. Each member state has a supervisory authority that is supposed to exercising this.
GDPR is a bold step towards privacy and how governments help citizens protect their data. Many are hopeful of getting to exercise this as a right and protecting their personal data, many are concerned of the burden it will put on organizations and how it might add a paywall to various free services that relied on monetizing the user data. A lot of people on all sides of this debate are eagerly waiting in anticipation of its impact as it comes into effect in less than a month! What are your thoughts on how GDPR will change the privacy story across the globe?
About CauseCode: We are a technology company specializing in Healthtech related Web and Mobile application development. We collaborate with passionate companies looking to change health and wellness tech for good. If you are a startup, enterprise or generally interested in digital health, we would love to hear from you! Let's connect at email@example.com