When the story broke that the personal data of millions of Facebook users was mined by Cambridge Analytica, people were shocked and horrified. The size and popularity of Facebook helped propel this story into the headlines for days on end. But it is not the only instance of a data breach. There are news reports on a regular basis of data breaches, from companies of all sizes. The Yahoo, Ashley Madison and Target stories might make bigger headlines, but smaller ones are just as devastating to the people whose personal information falls into the wrong hands.
In an effort to improve consumer protections, the European Union has created the General Data Protection Regulation (GDPR), a mandatory regulation for all EU companies or companies doing business in the EU. The regulations went into effect on May 25, 2018 with a document of more than 200 pages spelling out in clear detail just how companies should present their regulations to customers and the results of non-compliance. Here are a few of the important points to know about the GDPR.
- Companies must provide clear notice and and well explained options for consent. Rather than vague “terms and agreements,” the public must be able to understand exactly what their personal information is to be used for and make it easy for people to refuse for their data to be used for direct marketing purposes.
- These regulations protect all types of personal data, including credit card numbers, religious affiliation, web search history, IP addresses and more.
- The GDPR gives individuals rights to their own data, including: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling.
- In the case of a data breach, companies must notify authorities within 72 hours, and inform customers in a timely manner if the breach poses a risk to them.
What does the GDPR mean for US based companies?
As stated above, the GDPR affects any company that does business in the EU. That means even U.S.-owned businesses, such as Facebook, which has users in the EU, will have to show compliance to these regulations. If companies are found to be out of compliance, they will be fined, and fines can be as high as $24.8 million or four percent of annual worldwide revenue, whichever is higher.
It is important for everyone involved with cybersecurity issues to be aware of these new regulations. Obviously, businesses that are directly affected need to be sure to be compliant. But American businesses without ties to the European Union should also be familiar with the GDPR. The transparency it encourages is good for cybersecurity prevention, and it could be that America follows with similar regulations in the coming years.
About the Author: Karen Alley is a freelance writer and editor and has worked for over 10 years writing web content and blogs for various businesses.