General Data Protection Regulation (GDPR) – A Primer

General Data Protection Regulation (GDPR) – A Primer

Steve Anderson, RPLU+, Vice President, Product Executive – Privacy & Network Security QBE North America

On May 11, 1973, Sweden became the first country in the world to enact a national data protection law in response to public concerns around the increasing use of computers to process and store personal data. With the advent of the internet 20 years later, the digital world validated these concerns and highlighted the challenges of protecting data that was stored and circulated around the world.

In 1995, the European Union created the European Union Data Protection Directive, which was the first step among many leading to a piece of regulation that could be enforced across multiple boundaries. In 2012, the EU Council and European Parliament proposed a draft of the General Data Protection Regulation (GDPR) and, after several years of negotiation, the EU decided in the Spring of 2016 to adopt and then implement the regulation on May 25 of this year.

The GDPR outlines new rules for how companies manage and share personal data. In theory, the GDPR applies only to EU citizens’ data; however, the global nature of the internet means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies scramble to adapt. A recent Washington Post article commented on the exposure U.S.-based companies doing business in the EU now have:

“European Union regulators have always been much tougher on tech companies than their U.S. counterparts, for instance forcing them to give users more control, imposing fines for noncompliance and requiring platforms to spot and delete illegal content.” Brian Fung, Washington Post, May 25, 2018

U.S.-based companies are often aware of the parameters set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive but the GDPR expands on those measures in two crucial ways.

First, the GDPR sets a higher bar for obtaining and using personal information. By default, any time a company collects personal data on an EU citizen, it will need explicit and informed consent from that person. Users also must be provided with a way to revoke that consent, and can request all the data a company has received from them as a way to verify that consent.

Second, the GDPR’s penalties are severe enough to get everyone’s attention. Maximum fines per violation are set at four percent of a company’s global revenue or $20 million, whichever is larger. That is much more severe than the fines allowed by the Data Protection Directive, and it signals how seriously the EU is taking data privacy. Companies like Google and Facebook could withstand a fine that large but it would be enough to devastate a smaller firm. If the new consent rules ask companies to reshape their data policies, these proposed fines give them the motivation to make it happen.

Companies affected by the new legislation must understand the new requirements and their extraterritorial reach, put into place specific processes to meet the demands of the regulation, and take into account the hefty fines and sanctions that could be levied in the event of noncompliance. From a technology perspective, new paradigms such as big data and artificial intelligence will make compliance a challenge. In a recent article in Fortune magazine, Lilian Edwards, a law professor at the University of Strathclyde in Glasgow, said that “Big data is completely opposed to the basis of data protection.” According to the professor, the issue becomes even more fraught when companies use people’s data to infer things about them as sensitive personal data, which includes things like sexuality and political and religious beliefs, gets even stronger protections under the GDPR.

Two themes are clear. The EU is increasingly reluctant to accept that other jurisdictions are taking sufficient precautions to guard private data, and US companies must take steps to make sure they have the proper safeguards in place if they are doing, or plan to do, business in the EU.

We hope that you find the content useful and invite you to weigh in with comments or suggested topics.

This article was originally published in the October 2018 issue of Reactions magazine.