Many of your inboxes have likely been bombarded this week with notifications of privacy policy updates from organizations of every kind. That’s because today is the day that a two year transition period ends and enforcement for the European Union’s General Data Protection Regulation (GDPR) begins. This new regulation changes the ways in which companies can collect, protect, and use personal data, while bolstering consumer/user rights to their data.
Sound familiar? You might have attended World Trade Center San Diego’s roundtable about Data Protection and Privacy Regulations for EU and APEC back in January.
Here’s some background:
Two years ago, the European Union adopted the GDPR, a regulation that harmonizes data protection and privacy laws for all EU individuals. We say EU individuals because the GDPR applies not just to EU citizens but also residents, workers, and even foreigners whose data is collected while on EU soil. Companies were given a two-year transition period to decide upon and execute a compliance strategy.
Some of the key issues addressed in the GDPR are:
- Enhanced rights of data subjects
- Digital consent
- Right to erasure
- Right of access/data portability
- Responsibilities of the data controller/processor
- Data Protection Officer (DPO) requirements
- Handling of data breaches
- Penalties for non-compliance
The GDPR is a complex legal framework that has been shrouded in controversy from the start. Some have argued that small businesses will be disproportionately harmed by the cost of compliance despite the initial target of the legislation being data giants, such as Facebook and Googl e. Not that compliance has been a breeze for those two companies either. As the EU’s judiciaries build precedence around this topic, the important thing for companies to do at this moment, is to ensure that their privacy policies and marketing efforts comply with the updated regulations.
You can check out our updated (and GDPR-compliant) privacy policy here.