All our interactions with the Internet are about exchanging data. We go online to get information, but we also have to be ready to give our personal details. So does it mean that any service can use personal information of the user if he gets to interact with it? It has been so, but the changes are coming in the form of the General Data Protection Regulation (GDPR). Let’s find out what it implies and how it may impact your work.
What is GDPR?
As European Commission summarized, “the objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business.” It’s believed that new regulations will help to boost digital economy on the mutually beneficial terms for businesses and their customers.
It had taken nearly four years (between 2012, when the proposal was released, and 2016, when the regulation entered into force) for general data protection regulation to become a part of our reality. However, de facto it’s still not there since it will come into real effect on the 25th of May 25, 2018.
The time between 2016 and 2018 was strategically given to companies and firms that work with data so they could fully apply new regulation to all of their work processes. Of course, not every company operates with such giant amounts of personal data as Google, Microsoft, Facebook, but almost every company deals with data. And for those companies that deal with the data of European citizens application of changes is inevitable.
Now you may think, alright, it’s going to be somehow different, but what is about now, how do possible violations work? Let me show it to you by the recent case of major data robbery that resulted in a worldwide impact.
Cambridge Analytica case and thousands of others
In 2014, information about friends of nearly 270,000 users that passed personality tests (which turned into another number of almost 50 mln users) became accessible to such third-party as Cambridge Analytica. The latter is known as a company that provides political consulting services. The company is blamed for using this information for impacting U.S. elections in 2016.
Christopher Wylie, who has worked with Cambridge Analytica, commented on this:
We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.
However, this case is like a drop in the ocean because as it recently came up, app developers have had uncontrolled access to the data of the majority of Facebook users. Therefore, Cambridge Analytica is certainly a big case but far not the only one of misusing information of Facebook users.
The thing is that all quizzes and games that you access from Facebook automatically receive your data, and the way it will be used after isn’t controlled. In other words, external developers can use users’ information for any purpose and in any way they want.
What you need to know about general data protection regulation
General data protection regulation is supposed to become a tool for organizing the chaotic way of handling users’ personal data and giving back privacy to them. The following are the most frequently asked questions about general data protection regulation, which I tried to answer in a brief and simple manner.
What kind of data is regarded as personal?
The term “personal data” refers to any information about a user that can make them identifiable. It can be name, location, nationality, age, etc. Literally, all that makes you distinguishable and recognizable as You is your personal data.
General data protection regulation admits using pseudonymization as a legal way of processing personal data. The idea is that users data is encrypted and the encryption key is stored separately. However, this approach shouldn’t be overused as the data is still personal, though encrypted.
What do users gain with general data protection regulation?
The main aim of general data protection regulation is to give users of digital devices more control over their personal data, which also includes the right to know how exactly their data is used. Recall Cambridge Analytica case and how insecure has been data processing by Facebook platform.
What kind of businesses are to be affected by new regulation?
The focus businesses that match criteria of the new regulation are both EU businesses and those that are located outside EU with the main condition that they use personal data of EU citizens. Companies may want to deal with the information of EU citizens and all others in a different manner, which is possible, but not recommended since it may lead to a mess.
How can businesses prepare themselves?
To prepare themselves, businesses may want to hire an external expert that can help with the process of transition to new rules. (However, it’s not required, and company can train inner specialist to handle this work.)
Such experts are called data protection officers (DPO). Although similar to the role of a compliance officer, DPO is supposed to have advanced knowledge of new policies of data protection and help organize the work of the company accordingly.
What kind of threats may the regulation yield?
There’s a tiered system of fines that will be applied to the companies that violate data protection regulation terms, which depends on how severe the case is. However, the maximum penalty is set, and it’s 4% of the global annual turnover of the infringer.
Regarding such cases as Cambridge Analytica and thousands of others that happened due to the uncontrolled way of dealing with users’ personal information, general data protection regulation is definitely something that should have happened to our digital world.