There are some big changes on the horizon for how companies handle users' personal information. The European Union General Data Protection Regulation will go into effect on May 25 and will impact not just European companies but those in the U.S. as well. The rules reign in the free-wheeling relationship some organizations have had with user data and instead create more accountability in terms of how that information is used.
With just a few weeks to go before the GDPR is official, it's important that all companies get up to date on the upcoming changes in how they collect and use individuals' data. If companies fail to be compliant, they may face some hefty penalties – up to $25 million or 4 percent of global revenue, whichever is greater, according to IT Pro – we're not talking pocket change here.
We break the changes down below with five things you have to know about the GDPR:
1. It affects U.S. companies, not just European ones
If you're a U.S. company that markets its products or services to consumers in Europe, then you must comply with the GDPR. As Yaki Faitelson, CEO of Varonis, explained in an article for Forbes, the GDPR casts a wide net with its stipulation that if a U.S. company targets consumers in EU countries – through having marketing campaigns aimed at EU consumers and through translating web pages and marketing copy into EU languages – then they'll be subject to the regulations.
It's not just corporate behemoths that need to take another look at their data processing practices. CSO noted that organizations with fewer than 250 employees are still subject to the GDPR if their data usage is not "occasional," collects personal information and "impacts the rights and freedoms of data subjects." This may sound highly specific, but it's not: As the site noted, this is nearly all U.S. companies.
"The GDPR gives consumers more of a right to their data."
2. The GDPR considers a wider range of information types to be 'sensitive'
There are certain classifications of user data that the general consensus says is sensitive – financial data and social security numbers, for example. However, the GDPR broadly expands the category of information that companies need to be more careful handling.
Under the GDPR, "personal data" now includes IP addresses as well as cookie data, in addition to information related to mental and physical health, sexual orientation, race and religious and political beliefs.
As the Program on Corporate Compliance and Enforcement at the New York University School of Law explained, this broadened category essentially means that the majority of companies' online activities will collect and review data that violates the GDPR.
3. Companies now must receive active consent to collect users' personal information
Another major change the GDPR will bring about is that companies must now actively acquire a user's consent to use his or her information. Gathering consent in vague, roundabout ways – like having a terms and conditions box pop up on a website with the "I accept" box already checked – will no longer be allowed. Instead, under the GDPR, companies must actively have users opt in to having their data be used, as IT Pro detailed.
Under the GDPR, companies must also state exactly how they plan to use a person's data and in what specific ways, such as email marketing, for example, as Faitelson explained in his Forbes article. Furthermore, organizations must use clear, straightforward language to explain their terms and conditions, according to IT Pro.
4. Consumers will have more of a right to their data
The GDPR gives consumers more of a right to their data as well as a louder say in how their information is used. People can ask for their company to no longer use their data, and the organization must comply within a specified period of time or face consequences. Similarly, individuals will have the right to view the data that a company has collected on them at any time.
In addition, the GDPR also strengthens "right to be forgotten" rules, which decrees that companies are obligated to promptly remove the data collected on an individual as well as notify third-party sites that may be using the information to clear it.
5. Companies need to be more on top of their data protection activities
The GDPR examines the ways a company collects and uses personal information by three main actors: the data collector, the data processor and the data protection officer.
The data controller is the company using the data – an e-commerce site, for example. The data processor is the party actually evaluating and analyzing the data, typically a technology firm. And the data protection officer is a new position that all companies are mandated to oversee and manage compliance with the GDPR. If you're an e-commerce site and your data processor screws up, you'll be on the hook, according to CSO Online. This type of accountability will hopefully help avoid incidents such as the recent Cambridge Analytical and Facebook scandal.
The GDPR significantly changes how companies use personal data – make sure your company is up to date on the specifics of the regulations to avoid hefty penalties.