You may have noticed that in the last 4 years, anytime you visit a website you are greeted with a prompt requesting you to voluntarily allow the website to use “cookies” to track your activity and a small description of how those “cookies” will be used, as well as the ability to modify what the “cookies” can track. That is because those websites are in compliance with the European Union’s (EU) General Data Protection Regulation (GDPR), which is a legal framework that regulates how websites that are accessible from the EU can collect, process, and utilize any information on you as a user. The main way it works is by mandating that all website visitors be given a number of data disclosures as well as notification, in a timely matter, about data breaches involving personal data from users.
The GDPR is a regulation of the EU that became effective on May 25, 2018. It strengthens and builds on the EU’s current data protection framework, the GDPR replaces the 1995 Data Protection Directive.
The GDPR sets out the rules for how personal data must be collected, processed, and stored by organizations operating in the EU. It also establishes new rights for individuals with respect to their personal data. Finally, it creates enforcement mechanisms to ensure that data controllers comply with the GDPR.
The GDPR applies to any organization that processes the personal data of EU citizens, regardless of where the organization is headquartered. This includes organizations based outside of the EU that offer goods or services to EU citizens or that collect or process the personal data of EU citizens.
Organizations that process the personal data of EU citizens must comply with the GDPR unless they can demonstrate that they meet certain conditions.
The GDPR requires organizations to get explicit consent from individuals before collecting, using or sharing their personal data. Organizations must also provide individuals with clear and concise information about their rights under the GDPR.
Organizations that process the personal data of EU citizens must take steps to protect that data from unauthorized access, disclosure, or destruction. They must also take steps to ensure that the data is accurate and up-to-date.
Organizations that process the personal data of EU citizens must provide individuals with a way to access their personal data and exercise their rights under the GDPR.
Organizations that process the personal data of EU citizens must disclose any data breaches to individuals whose personal data has been affected. They must also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
The GDPR also requires all websites to hire or designate a Data Protection Officer whose job is to make sure all security standards are met, and that the website complies with the GDPR’s requirements. Information on how to contact the Data Protection Officer must always be publicly available and they must always be reachable so that EU citizens may exercise their rights under the GDPR, like requesting all of their presence and accounts on the website be erased and that all other information they acquire from users also be erased.
As an added protection for consumers, the GDPR requires that all personally identifiable information must be either anonymized or pseudonymized. The main objective of this is to reduce the proliferation of personal information in cases the website or company suffers a data breach. The pseudonymization also allows companies to perform a deeper data analysis than they normally would. As a last measure of data protection, any data gathered in the EU cannot be transferred to another country outside the EU, unless the company that receives the data can guarantee at minimum the same protections established in the GDPR. This last part has actually been a source of controversy since many companies have complained that it created an expensive disruption of their business practices since in some cases companies have had to basically have to have two completely different sets of user data, one for the EU and one for the rest of the world, which limits their ability to make plans on a global scale or to correctly use their data to determine the best course of action for the company.
Overall, the GDPR has had a positive reaction from individuals, and data safety advocates have praised the rights and protections that it has given to general consumers and users not only in the EU but also around the world.