I have thought for years how posting have appeared in my Facebook and LinkedIn feeds where I questioned “how they could know?” As the saying goes, if you are not paying for it, you’re the product.
The revelations tied to the Cambridge Analytica scandal is only the trigger for us to reflect on developments that we have tolerated for over the last 20 years. Data privacy is an issue we have all taken too lightly.
It has been quite interesting lately following the conversations tied to the proposed remedies posed by Facebook, Google, LinkedIn and others, but their actions are not tied to happenstance but rather to provisions to take place in the European Union as of the 25th of May, 2018.
The EU General Data Protection Regulation are directives that more evolutionary than revolutionary, but the timing is quite poignant. Here are some of the main features we can expect:
Territorial Scope – If you are dealing with personal data of any residents within the European Union. This is not tied to commerce. If you have the data, wherever you are, these laws apply to you.
Penalties – They could be as great as 4% of your annual global turnover or EUR 20 Million, whatever is higher.
Breach Notification – You will have 72 hours to inform those individuals that their data has been compromised.
Right to Access – You have the right to request a copy of your personal data a company possesses. This applies also to your employer.
Right to be Forgotten – You have the right to have such data to be deleted. This directive is not new, but the enforcement will be more rigerous
To get 28 countries to agree to such provisions was no easy endeavour, and so these regulations have been years in the making. With all the talk though of what steps should be taken to redress the data privacy abuse that has been taking place for years, the European Union has established a benchmark that will very likely become a de facto standard for other regions of the world. If you are holding data on any EU resident, these rules apply.
Just as California has often acted as the catalyst in changing the regulatory standard throughout the United States, one can view the GDPR as achieving a similar function for rest of the world when it comes to personally identifiable information (PII).
We will be holding soon a virtual workshop to get companies GDPR ready. You can find more information here