Everything You Need to Know about the GDPR
by Charles Bowen
The General Data Protection Regulation (GDPR) recently went into effect across the European Union (EU). The GDPR is a data privacy law that gives citizens of the EU far more control over their personal data and requires businesses to keep all such data private, safe and protected.
This law was passed in response to the Cambridge Analytica scandal in which the private personal data of millions of people was sold to England’s “Leave the EU” campaign and Donald Trump’s presidential campaign in 2016.
Any company that collects data on people who live in the EU must follow the new regulations, no matter where the company is based. That means that if you own a company in Savannah but sell to a European customer, you are subject to the new GDPR privacy rules.
To better ensure privacy and protection, companies must now procure their customer’s actual consent in order to store their personal information. This request for consent must be clear and written in plain language (rather than buried in 50 pages of terms and conditions).
Any company that does not obtain this explicit consent may only store a customer’s personal data if they can prove they have a “lawful basis” for doing so such as a contract or other legal obligation.
What this means in practical terms is businesses will have to pay a lot more attention to the security of their customers’ personal data and they will not be allowed to hold onto it for any longer than necessary. Also, anyone can ask for their personal information to be deleted from a company’s servers at any time.
Any company found to be in violation of these new rules will face huge financial penalties. Large companies can be fined up to 4 percent of their annual global sales, which can run into billions of dollars. Even small companies can be fined up to $23.5 million.
The GDPR was designed to protect consumers due to the large number of cyber attacks and data leaks over the past few years. And despite the fact it is a European law, given the global reach of the internet, it has been estimated that 92 percent of American businesses will be affected.
There currently are no plans to expand the provisions of GDPR to the United States, but many experts believe that given the almost daily occurrence of large scale data hacks, it’s only a matter of time until such protections are extended worldwide. It will be interesting to see how effective the EU’s monitoring of the GDPR is over the next several months and how aggressively violators are prosecuted.
It seems clear, however, that data breaches and mishandling of personal customer information will be a lot costlier.
Despite the effort it will take to understand, implement and enforce the GDPR, it is hard to deny some type of action must be taken. Anyone who has ever shopped for a product on Amazon and then immediately seen an ad for the same product on Facebook knows how creepy and invasive the internet’s targeted advertising technology can be.
The National Security Agency can use that same system to seamlessly track almost anyone in the United States, and political firms such as Cambridge Analytica can use it to secretly single out political subgroups and sell that data.
Hopefully, the GDPR is a good start in restoring a bit of privacy to the worldwide web, but it’s just the first step of a long process.
Charles Bowen is a business attorney who focuses on commercial, banking and manufacturing law and also offers comprehensive mediation services. He may be contacted at 912.544.2050 or cbowen@thebowenlawgroup.com