It is likely that you have received a lot of e-mails these past few days from each one of the services to which you subscribed to at some point, indicating that their privacy policies had been updated.
But… What does that mean? What is the impact on development companies? How does it affect our lives? Why has my distant cousin from Zimbabwe, who had promised to hand me down all of his money, stopped writing? Did he… die? May the force be with him.
What is GDPR?
To answer those questions, we need to talk about the General Data Protection Regulation (GDPR), a series of regulations from the European Union (EU) effective as of May 25th (which happens to be a holiday in Argentina: many houses smell of locro and this hungry young man is desperately trying to get invited somewhere to taste it). Some experts said that it was a consequence of the Cambridge Analytica scandal, but the truth is that it was a proposal from 2012 that came into effect in 2016, with an adjustment period that has just come to an end on Friday May 25th of 2018. The Cambridge Analytica data scandal did have the consequence that it led many companies to adapt their terms and conditions in order to prevent future demands from nations, individuals or organizations.
The first day of validity of GDPR, Google, Facebook and other companies were sued for millions of euros by an Austrian lawyer and activist. The new law impacts EVERY company. Regardless of their country of origin, their size or their main activity, all of them must abide by it as long as they collect, store, handle, use, or manage some type of data from EU citizens. This law unifies and centralizes 28 previous regulations existing in each member country of the EU, and its goal is to protect citizens from misuse of their personal data.
What impact does GDPR have?
The regulation has three major effects:
- First, it helped reduce the ambiguity in certain laws on where information should be stored and processed. It does not matter where in the multiverse data are collected, stored, or processed: companies must adapt to GDPR.
- Second, fines due to unfulfillment are increased.
- Lastly, there is the primary requirement to have a definition or specification about protection and use of users’ data, so as to have everything in order.
It is also important to understand and analyze the rights to which users are entitled to from now on:
- The right to erasure (or “right to be forgotten”): the user can demand the full erasure of all their collected information, and the company must comply.
- The right of access: since not all the stored data are equally sensitive, sexual, political and religious information must be obtained through an explicit consent by the user, and companies must explain why and how they will store that data.
- The right to data portability: the user can demand all personal data concerning them, collected by a company, to be downloaded in an open format and decide if they wish to share that information with another company.
- The right to be informed about data breaches: companies must duly notify users when their systems have been hacked.
- Privacy by design should be mandatory: “privacy by design” is a concept that includes best business practices that are responsible; in other words: physical design and network infrastructure. This forces companies to implement appropriate measures to protect personal data right from the software design stage.
What is the purpose of GDPR?
Every company’s greatest asset is information. Consequently, we can think of users as the producers of their profit and, in many cases, even as the reason for their existence. Ethical and responsible data management becomes a priority. The purpose of regulations such as GDPR is to empower users by protecting their personal data and controlling the way that companies handle them.