The world wide web was invented 30 years ago and in just one generation has spread to every corner of the Earth and even beyond. The United Nations is debating including access to the web as a fundamental human right. But the risks of the web’s ubiquity are also increasingly clear. The General Data Protection Regulation (GDPR) is the greatest challenge so far for companies as they scramble to tame their wild west websites. At the core of GDPR is the recognition that online personal data has a value. Who owns it and how should it be treated?
The common saying on the internet that “If the product is free, YOU are the product” underlies much of the impetus behind Europe’s insistence on data protection. Who ultimately owns your digital identity? Perhaps you do not believe yourself to be fascinating enough to be of interest to global corporations or governments – after all what would they do with all that endless information on what you ate for dinner last night? But you would be wrong. Big Data matters: it can be harnessed to predict and influence behaviour. The latest scandal with Cambridge Analytics and Facebook is proof that governments, regulators, institutions and the public are all becoming aware that an individual’s online information is an asset – it has value. So who owns and who controls this increasingly valuable prize?
GDPR is the culmination of many years of work. After all, the previous guidelines and regulations concerning the internet from the European Union were published in 1995. All 28 member states of the EU agreed to the GDPR, initially voted (unanimously in favour) in 2016 with implementation as of 25 May 2018. What is GDPR? It is a set of regulations that require businesses to protect the personal data and privacy of EU citizens for transactions within the EU as well as exporting that personal data outside the EU. GDPR is built on the clear premise that a person’s online information is owned by that individual, and that any organisation or company accessing or harvesting that personal data has an obligation to protect it and to use it with consent.
The good news is that GDPR applies to the entire EU. Companies therefore have just one set of regulations and standards to deal with. The challenge however is that those standards are new, set at a high level and not always precisely defined. For example, GDPR states that companies must provide “reasonable” protection for data but it does not detail what reasonable actually means.
The fact that GDPR extends to data that are transferred outside the EU gives the regulation global reach. A U.S. company that has no direct subsidiary in Europe but relies on European distributors for example, is still directly concerned with GDPR. The distributor sends over the excel spreadsheets with all the European sales data; newsletters and marketing material are sent to existing European clients while European prospects are browsing the U.S. home website. Behind all this everyday sales and marketing activity lies data flow and that means personal information. In this way, GDPR applies to every company that has a website and is active on the internet, that is, everyone.
This is the first of 2 blogs on GDPR - the next one will focus on solutions and strategies for companies exporting to Europe. We are also hosting a series of webinars on GDPR - come and join us - we promise we will treat your personal data with care and respect!
