Over the past 2 weeks, all of you have probably been beset with numerous emails from the various websites and online services with whom you regularly (or even infrequently) interact, notifying you that their terms of service/use or privacy policies have changed. Depending on how closely you may be paying attention to the ceaseless flood of data we call our inboxes these days, this might have struck you as rather odd. You might have also noticed a common set of letters sprinkled throughout these emails, “GDPR”, an unfamiliar anagram that seems to have an inordinate amount of influence over all of these companies, including ones we all assumed determined what exactly we could view as private or public. In this case, this particular bit of alphabet soup stands for “General Data Protection Regulation” and it is a new set of rules that govern how EU citizen data should be handled globally, starting May 25, 2018.
For the most part, the GDPR only governs data protection and privacy for EU an EEA citizens, and is designed to provide better protection and control of their personal data to those individuals, as well as unify the regulatory environment for international organizations that collect and use that data. Without diving into the gory details, the core intent of the GDPR is to require any organization that handles data generated by EU/EEA individuals to clearly disclose what, how and why data is being collected, how long it will be retained and if it is being shared with third-parties. These same users have a right to request a copy of the data collected, and in certain appropriate circumstances, request to have that data erased or removed.
What does this mean for Americans?
While you may think this should have zero impact on you as an American citizen, there are two things to consider. We all interact with businesses and organizations that operate globally. You could probably name 5 companies that have specifically changed their policies to comply with GDPR by scanning your inbox: Facebook, Google, Twitter, Instagram, and Microsoft are just a few of the ones in mine. The “side-effect” of these companies reshaping their operations to comply with GDPR means an improvement for users in terms of privacy and security for everyone, regardless of country. Though some companies may make changes to only their non-US operations and processes due to budgetary or resource constraints, it typically makes better long-term sense to streamline or consolidate operations around the most secure and compliant technologies. A rising tide of privacy protection raises all boats.
Secondly, if you own, operate or work for an organization that collects data from EU citizens, you are subject to the GDPR, regardless of where your business physically resides. Make sure you understand how this impacts your business practices, specifically in the area of data security and privacy policy.
Image courtesy of Stuart Miles from FreeDigitalPhotos.net
[…] everywhere, so using vague words and splitting semantic hairs is disingenuous at best, and in the EU where GDPR was implemented to curb this type of double-speak (among many other things), it might actually be a violation. […]