The European Union’s General Data Protection Regulation (GDPR) was brought into full effect on May 25, 2018.
The new data protection rules clarify individual rights to the personal data collected by companies around the world for targeted advertising and other purposes.
The GDPR was enacted back in April 2016 with the goal of giving citizens and residents of the EU better control of their personal data and simplifying related regulations for businesses.
There was a two-year delay in its passage and start date, in order to give the businesses a grace period to mold themselves in line with its measures.
The General Data Protection Regulation (GDPR) will regulate the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.
The regulation will not apply to the processing of personal data of deceased persons or of legal entities.
The rules will also not apply to data processed by an individual for purely personal reasons or for activities carried out in one's home, provided there is no connection to a professional or commercial activity.
• The GDPR sets new rules for how companies manage and share personal data.
• Though the rules apply only to the citizens of the European Union, the global nature of the internet means that nearly every online service will be affected.
• While the regulation largely builds on the rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, it expands on those measures in two crucial ways:
- The GDPR sets a higher bar for obtaining personal data on the internet, higher than ever seen before.
- So, any time a company will want to collect personal data of an EU citizen, it will require explicit and informed consent from the concerned person. The rule explicitly extends to companies based outside the EU.
- The companies will have to clarify how long they retain data.
- The rules will also force companies that suffer data breaches to disclose them within 72 hours.
In case of violation of the rules, the GDPR has set maximum fines per violation at 4 percent of a company’s global turnover or $20 million, whichever is larger.
For an industry that survived on collecting and sharing data with little or no restriction, the rules mean the complete rewriting of privacy policies and how ads are targeted online.
Though the rules have come into effect at a time when Facebook is facing an enormous privacy crisis following the Cambridge Analytica data breach scandal, the timing is purely coincidental.
How will this affect the user?
Not much is expected to change for the user. The companies will continue to collect and analyse the personal data of users from phone, apps and sites visited by them.
However, the companies will have to justify why they are collecting the information and where would it be used. They would be prevented from using the data for a different purpose later.
The companies would also be required to give the EU users the ability to access and delete data and to object to any particular data use.
Which companies will get affected by the rules?
The new rules will apply to all users in the European Union, regardless of where the companies collecting, analysing and using their data are located.
Hence the rules will affect social networking giants such as Facebook and Google, as they have millions of users in Europe.
Further, the companies based in the EU will have to offer the privacy protection rules to all their users, not just EU residents.