The European Union has a new law on the books for protecting data privacy. It’s the General Data Protection Regulation, more commonly called the GDPR. This Friday, it goes into effect in the EU’s 28 member states.
The law changes the rules for companies that collect, store or process large amounts of information on residents of the EU, requiring more openness about what data they have and who they share it with.
That means you, Facebook.
It also means any company with a digital presence in the EU (which for the time being still includes the UK) will have to comply with the law or face steep penalties.
The deadline to comply with the law has been looming for two years, ever since the European Parliament adopted it in April 2016. When the Cambridge Analytica scandal at Facebook emerged in March, privacy advocates found an eye-catching example of why internet users might want more control over who can access their data.
I think the GDPR in general is going to be a very positive step for the internet.
Facebook CEO Mark Zuckerberg
The GDPR came up several times during Facebook CEO Mark Zuckerberg’s testimony before the US Congress in April, and it was a major focus Tuesday when members of the European Parliament questioned Zuckerberg in Brussels. EU officials said they weren’t satisfied with the Facebook CEO’s answers to questions about the GDPR, and he promised to follow up with answers in writing.
“I think the GDPR in general is going to be a very positive step for the internet,” Zuckerberg told US lawmakers, going on to discuss Facebook’s plans to tighten data policies, protect users from further leaks and become more transparent about who’s advertising on the site.
It’s not just the household names of the internet like Facebook that will have to comply. Health care providers, insurers, banks and any other company dealing in sensitive personal data will also be on the hook.
The GDPR will have a significant impact on our online footprints and how the apps and services we use protect or exploit them. Here’s what you need to know.
What is the GDPR?
The General Data Protection Regulation is a sweeping law that gives residents of the European Union more control over their personal data and seeks to clarify rules and responsibilities for online services with European users. It replaces the EU’s previous law governing data protection, passed in 1995, and makes some dramatic changes to existing conventions.
The regulation expands the scope of what companies must consider personal data, and it requires them to closely track the data they’ve stored on EU residents. If someone in the EU wants a company to delete his or her data, send copies of the data, or correct an error in the data, companies have to comply.
The law goes even further than that. EU residents can now object to specific ways companies are using their data, saying that they don’t mind if a company keeps the data as long as it stops using the info for a particular purpose.
What’s more, the law requires companies to notify users within 72 hours of a data breach — something very few companies currently do. For example, during the Equifax breach that exposed the personal information of millions of people in the US and beyond, the company spent weeks stopping the attack and then planning how to deal with the damage before informing the public.
How will the EU enforce the GDPR?
Each member state of the EU will have its own enforcement mechanism, with one GDPR supervisor per country.
Residents can make complaints to the governing body in their respective country. Companies found in violation of the law will face fines that could be very steep. The maximum fine for a GDPR violation is 20 million euros or 4 percent of a company’s annual global revenue from the year before, whichever is higher.
When does the GDPR take effect?
Friday. The regulation was ratified in 2016 and organizations were given a two-year “implementation period” to prepare. This grace period ends on May 25, 2018, when enforcement begins in earnest.