GDPR explained for ages 9 – 95

Hi there! Thanks so much for joining us today for a breakdown of a cybersecurity/privacy concept that has made headlines these past few weeks: GDPR! In the last couple days, you may have received a couple (hopefully a lot!) of emails in your inbox about different companies telling you about their new addition of GDPR policies to their current privacy policies.

Exhibit A! Email notification from Udacity

While you may be tempted to mark them as unread, here’s all you need to know about what is happening and why these laws are oh so important to you and your family:

GDPR Simply Explained

GDPR, or General Data Protection Regulation are new laws passed by the European Commission in April 2016 in Europe that require small and large corporations to protect consumer data through compliance and liability. For the past two years, companies have been working towards becoming compliant to stricter regulations for getting consent for hosting customer PII (Personally Identifiable Information like Social Security, pictures, emails, phone numbers, IP addresses, cookies), preparing for the big May 25th, 2018 date (aka 1 week from today), when the laws go into effect.

Illustration showing key elements of GDPR (effective 25 May 2018) – DPOs, Compliance, Data Breaches and Personal Data

What kind of policies are we talking about?

GDPR tightens up the rules for assuring user consent about storing a user’s email addresses and data that is now frequently sold to data brokers. Simply put, companies have to establish what data they are collecting, what exactly they are doing with the data, how consumers opted into their lists, how long they are collecting it, and how they are collecting the data. This means that companies have to be super explicit to users about their data and with these laws, control is shifted to the user while making the company compliant. One way this is happening is that companies are now required to have an “uncheck” box when asking permission from you when you sign up for the service. GDPR also requires that all previous data from a company has to have been collected abiding to these new rules. In all honesty, there are so many harms that could come with your data being unencrypted and on the Internet. With GDPR, this is the first big step that has privacy advocates screaming (with JOY). This makes for improved transparency, accountability, and readability (yes, it will no longer look like legal gobbledygook!).

Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. – Forbes

For the full list of specific GDPR articles, read here!

Source: Creative Networks

But the US is not the EU? (Or is it…?)

Nope, you saw it right, I did say Europe! These new laws are being enforced in Europe. However, because of today’s technology and our cloud, making data and the Internet a global arena, there is a global impact on consumers and businesses that host PII. No matter where you are, the GDPR regulations impacts companies everywhere since any company that has a Web presence in Europe has to comply. 

Which companies is this affecting?

Virtually any company that collected any form of PII from European citizens is affected, especially digital marketing companies, email marketers, small businesses, ecommerce companies (Amazon, eBay), and social media companies (Facebook, Twitter, etc.), who have been working to beat the deadline on May 25th. So, basically, the companies that make our world go ’round!

Here are a couple notices from companies you probably use!

• Twitter GDPR
• Facebook GDPR
• Amazon Web Services GDPR
• Google Cloud GDPR
• Instagram GDPR

What’s the penalty for a company who doesn’t comply?

In fact, authorities are actually reliant on customers reporting if companies are noncompliant! The fines for being so are pretty hefty, being up to 4% of the company’s annual global revenue or 20 million euros (whichever is greater). 

Source: DLA Piper

Any cons to mention about GDPR?

Endless consent prompts for every data process has said to possibly burden companies and users in the age of user friendliness. Also, GDPR compliance requires a significant investment from companies, since they must appoint a “Data Protection Officer” and not only provide updated audits frequently but also make sure each product takes a “privacy first approach” through design.

 As is often the case with legislation, especially that coming from the European Commission, there is a concern of overregulation when it comes to the GDPR…[and] Software that offers Data Loss Prevention or data classification features should be implemented system-wide for a better insight and control of who is processing data where. All of this, of course, comes at a cost. – Endpoint Protector

What changes users can expect?

As consumers, it’s likely we will see won’t see much change other than an email about changes in privacy policies and pop-ups asking about permissions. However, this is what companies want! Companies have been working at this simplicity because if the pop-up is the only thing you see, it simplifies the complicated process, while informing users about the changes to come. With GDPR, we will have some sort of knowledge of protection of our data.

Moral of the story? Unread those emails, my friend! You’re going to want to know this information. Read more to find out why we’re counting on you! GDPR really brings up to the table the topic about US thinking more abut the data collected and how permission is granted, as well as companies thinking about how they are using and collecting data.

Thanks so much for joining me today! As always, stay empowered and knowledgeable about your security online! By simply reading this blog and staying informed, you are many step closer towards that goal!

Detective Safety

Curious? Here are a couple resources:

Pro/Con of GDPR Compliance

https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html 

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.youtube.com/watch?v=gHihQAf3o-Q 

https://www.forbes.com/sites/forbestechcouncil/2017/12/04/yes-the-gdpr-will-affect-your-u-s-based-business/#1c0184a36ff2