Today is the big day when a new European privacy law takes effect, shifting the power balance towards consumers. You (and especially your inbox) have probably guessed by now: the law is called the General Data Protection Regulation (GDPR).

What is GDPR?

Consumers have long wondered just what Google and Facebook know about them and who else can access their private information. Now, GDPR restricts the way such data is collected and handled. It relates to personal data, or information related to an identified or identifiable person. Its goal is to create a common set of data protection practices across the EU.

GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established businesses will be subject to GDPR. If a business offers goods and/ or services to citizens in the EU, then it is subject to GDPR.

This new data protection regulation puts the consumer in the driver’s seat and the responsibility of complying with GDPR falls upon businesses. Non-compliance can be punished with fines of up to EUR 20 million or 4% of a company’s global turnover (whichever is higher).

The new law replaces the 1995 Data Protection Directive, which has until now set the minimum standards for processing data in the EU.

What does it mean for consumers?

GDPR focuses on ensuring that you – as a consumer – know, understand and consent to the data collected about you. It gives you the right:

  • to be informed about the data controller that processes your information and how to contact that entity;
  • to “erasure” or the removal of data;
  • to prevent automated decision-making, which is used to profile you and use your data to target ads.

What does it mean for companies?

As a business or organization, you must be clear and transparent about the way you collect and use customers’ personal data including full name, home address, location data, IP address, or the identifier that tracks web and app use on smartphones. GDPR also forces you to report a data breach within 72 hours.

Also, you have to be clear on why the data is being collected and whether it will be used to create profiles of customer actions and habits. And, most importantly, do not forget that “25 May is only the beginning and not the finish line.”

In case you have not seen it yet, the EU Commission published a 7-step guide and made an online toolkit available to help businesses comply with the new rules.

More about this topic in our upcoming articles. Until then:

Happy GDPR compliance day!