The General Data Protection Regulation (GDPR) is a set of internet regulations concerning personal data management introduced in the European Union in May 2018. In this article, I want to provide a detailed overview of what the significance of GDPR is, what these regulations entail, the changes they bring, as well as some criticisms.
Firstly, whywere these regulations introduced? The main reason provided for GDPR’s implementation is that our rapidly shifting technological environment is continuously posing new challenges for us in terms of how we handle information – particularly individuals’ personal data.
These new challenges require us to adapt in different ways; and the fact that both private and public companies can now make use of personal data as a key component of the pursuit of their activities means that people’s personal information is being made available globally at unparalleled rates. Betting sites UK have outlined in their infographic “55 things you need to know about GDPR, which provides insight for both business owners and consumers about what these regulations include. Hence a new set of regulations to ensure that we keep up with these technological developments.
GDPR is built upon two core principles:
- Giving individuals within the European Union more control over their personal data. One of the main purposes of these regulations is to provide EU citizens more transparency over their personal data processing and use; thereby also increasing their trust in internet companies – trust itself being an essential component of business.
- Introducing a single, unified regulation for all businesses inside the EU.The policy fragmentation across the EU when it comes to internet regulations means that the introduction of a standardised set of policies equal across all member states will reduce administrative costs and burdens to the tune of approximately €2.3 billion.
Furthermore, these regulations are also set to affect businesses outside the Union who sell goods and services to and are otherwise involved in the processing of EU citizens’ personal information.
GDPR introduces a set of eight individual rights for data subjects:
- The right to be informed – this is the right to be informed prior to one’s data being gathered and processed.
- The right of access– this is the right to obtain a copy of one’s personal data as well as other supplementary information if requested.
- The right of rectification–this is an individual’s right to have their information corrected if erroneous or incomplete.
- The right to erasure–this is an individual’s right to have their personal data erased upon request. It is also known as ‘the right to be forgotten.
- The right to restrict processing– this is the data subject’s right to prevent their data from being processed.
- The right to data portability– this is the right for a data subject to transfer their data between different services.
- The right to object– this is the data subject’s right to stop the processing of their data.
- The right to be notified – this is the right to be informed, within 72 hours, in the case of a data breach in which one’s personal data has been compromised.
Under GDPR, there are three main parties involved in the management of personal data, which is defined as “any information related to a person that can be used to directly or indirectly identify that person.” These parties are:
- Data controllers – they “decide purposes and methods of processing personal data and they coordinate it.”
- Data processors- they are responsible for “processing personal data based on the instructions of data controllers.”
- Data subjects- these are the “EU citizens using goods and services provided by the data controllers.”
As a result of these regulations, companies and public authorities (data controllers) within the EU are going to have to enact some changes in the ways they handle individuals’ (data subjects) personal information. Here are some of the main examples of what these entail:
- The duty to report certain data breaches within 72 hours of their occurrence, as well as notifying the data subjects’ involved.
- The duty to hire a Data Protection Officer for public authorities and companies involved in the intensive processing of high volumes of personal data.
- The duty to gain proper consent from data subjects. No more deceptive tick boxes and vague requests to process data – companies need to be explicit with the ways they gain data subjects’ consent to use their personal information.
The penalty for failing to comply with GDPR regulations stands at 4% of a company’s annual revenue or, alternatively, €20 million, depending on which amount is higher. This steep fine should provide more evidence in regards to how seriously internet security and data protection are seen in the EU.
Although GDPR is generally seen as a positive development when it comes to technology regulation, some critiques have been launched towards it. One of the main criticisms is that GDPR’s requirements disproportionately affect small businesses – it has been reported that the total costs of GDPR compliance for EU businesses stands at approximately €200 billion – a considerably large sum of money to spend on regulations.
I believe that this is a valid critique, especially considering that the main reasons behind GDPR’s introduction had to do with the way large internet companies, such as Facebook, manage their data. In this regard, it is true that these regulations may be more burdensome for smaller companies.
Another criticism of these regulations is that they may at times be unclear in terms of their compliance requirements. The main counter argument provided against this claim is that companies had over two years to prepare and comply with GDPR, which is true after all.
Ultimately, I think we ought to see GDPR as a positive and welcome development in terms of how we do technology. At times, I like to think that we are still in the dark ages of the internet – we still have so much to learn and so much to discover when it comes to harnessing and making best use of this revolutionary invention. Technologic advancement is happening faster than ever – we need to make sure we keep up with its strides.