by
Kelly Ommundsen*
Contrary to what many people believe, this is not a result of the recent high-profile instances of data use and misuse. It’s not a mere change in the legal fine print – these companies are preparing for a massive transformation in the regulatory landscape that will have wide-ranging impacts for organizations and users alike.
The General Data Protection Regulation (GDPR) comes into effect on 25 May and represents the biggest change to European data privacy and data protection laws in more than 20 years. This new framework aims to gives individuals more control over their personal data and simplify the regulatory environment, so they can more fully benefit from an inclusive and trustworthy digital economy.
But what does this mean for you?
1. It’s not just for Europeans
While GDPR was passed by the European Commission, it does not only impact Europeans. The new regulation applies to any organization or business operating on European soil, as well as those outside offering goods and services to EU citizens, including online business. Given the global nature of the internet, this means the majority of online services and individuals are affected in some way.
2. All of your sensitive information is protected
The definition of “personal data” has been expanded to include everything from your name, location, photos and bank details – as well as other ways that you could be individually identified online, like your IP address. Your sensitive personal information, such as genetic data or data that would reveal your sexual identity, political opinions, or religious affiliation, is protected under GDPR as well.
3. The right to be forgotten
If your information is no longer required for the purpose for which it was originally collected, was obtained illegally, or you did not consent to have your data collected, you have the right to have your data erased. If your data is incorrect or out of date, but you don’t want it all erased, you also have the option to have it updated.
4. You are in control of your data
Under GDPR, you have choice and control. Explicit consent is required to gather and process your information, which means companies will be requesting permission to collect your data much more frequently – and you will be seeing many more “click to proceed” or “do you agree?” windows popping up in the future.
5. Your boss has to comply as well
Access to data and personal information stored about you also applies to your employer. With these new regulatory tools, if you are located in the EU, you can file a request to have all the data that has been collected about you as a worker – including interviews, performance reviews, payroll and attendance records, as well as any emails to, from, or about you, and your company must comply within 30 days or face severe penalties.
6. You can transfer your data more easily
Want platform flexibility or to switch providers altogether? You will now have the power to download all the data an organization has on you in a readily usable format, letting you check what companies have collected, as well as easily transfer your data between platforms.
7. Your data is safer
The new rules bring a new level of safety and protection for users. Organizations have to meet a higher level of security to ensure integrity and confidentiality of your data, using encryption and other cyber-resilience solutions.
8. You will be notified if there is a breach
Organizations can no longer leave users in the dark if they are attacked and data is compromised. While GDPR aims to keep your data safe and protected, cyberattacks and cybercrime still remain a risk. Should your personal data be compromised, organizations are required to notify the authorities or individuals within 72 hours of a security breach.
Companies are also strongly incentivized to comply or face fines up to 4% of annual global revenue – which could translate into billions of dollars for top global platforms.
Gold standard for privacy
In short, the GDPR was designed to empower individuals to know, understand and consent to the data that is collected about them. It turns the current data-business model on its head – according to which companies were incentivized to collect as much data from users as possible in order to monetize it in the future – towards one that is more balanced. Rather than having the burden of opting out, consumers will have the opportunity to opt in if they choose; this new paradigm rewards trust rather than taking advantage of vague implied acceptance.
Although there may be some companies who prefer to fragment and silo their data and treat it differently across different geographies – this runs the reputational risk of companies being seen as intentionally providing a lower “fool’s gold” standard of privacy and protection to some of its consumers and not others. At the end of the day, it may be better for businesses to view GDPR as the gold standard for how all personal data should be treated, regardless of where it comes from.
As the EU leads the charge as a global pioneer in strengthening the trustworthiness of data with GDPR, many people believe that these four letters could have ripple effects around the world, encouraging others to raise their privacy standards. While it’s likely varying interpretations and even strong opponents will remain, as norms change and consumers demand more control, the GDPR presents an initial set of policies that can enable an inclusive and trustworthy digital ecosystem to emerge.
*Community Lead, Digital Economy and Society System Initiative, World Economic Forum LLC
**First published in weforum.org
By: N. Peter Kramer
