I first sat up and took note of GDPR when a newsletter I subscribe to asked for re-confirmation to continue sending me information. This was one month ago. Until then, GDPR was always something good that the European Union had put in place but would come to effect at some unknown time into the future. Suddenly, in the past 4 weeks I’ve been hit with a number of e-mails that aim to provide me further clarity on what information is being collected, how it is being stored and how much control I have over it. Numerous friends have begun to spend longer hours at work as 25th May draws closer. & all this while I sat miles away in India!
So what is GDPR?
This is probably something that you already know but just in case you have been visiting another planet, let me make this easier for you. Europe is changing its data and privacy rules. Adopted by the European Parliament on 14th April 2016, the General Data Protection Regulation (GDPR) is a new legal requirement that will determine how data is processed, stored, used and exchanged. First viewed as a restrictive regulation, organizations have begun to concede that maybe the EU was thinking ahead when it came to data protection. As more organizations begin to store, process and monetize data in exchange for ‘free’ services, leaks such as the most recent Facebook fiasco are increasingly likely. It thus becomes important to monitor how organizations use and sell data.
GDPR applies to all individuals within the European Union. If you are an American residing in EU, this applies for you too. GDPR requires that data be collected and processes transparently, be accurate and up to date, be safe from hackers and (my favorite) be held for minimum time necessary. This is one reason why statements around data are becoming an easier read. GDPR also strengthens your right to withdraw consent. An individual can request for information companies hold about them and request for it to be deleted. The cost of breach of this regulation is colossal. It involves fines of up to 4% of global group turnover or 20 million euros, whichever is higher. This cost is apart from limits or outright bans on data processing.
The reason why you see a crazy rush now is because like everything else in life, despite having two years to put everything in place, most stuff gets done at the last minute. The date for enforcement is 25th May 2018 – two days from today.
What is the impact outside of EU?
GDPR has an impact on any organization that collects or uses data of EU residents irrespective of where the organization is located. It also impacts organizations that use services of organizations based in the EU. For many large multinationals, it makes sense to adopt GDPR as a global practice. While it is extremely costly to put into place, it helps avoid inconsistency in practices. It is also the most progressive data protection law in place. It is likely that many other countries follow suite. Hong Kong has already decided to replicate GDPR. I am sure that very soon organizations across the world will start boasting about being GDPR compliant, as it will help boost customer trust and confidence.
While there is considerable debate on how this will be implemented and if organizations will be able to meet deadlines, this is something that will definitely change how data privacy is looked at.
The unfortunate truth is that many organizations are not entirely prepared for GDPR. The scramble that you are witnessing at this point of time holds testimony to the fact. If you have the time and inclination, it is a good idea to go through the 200 pages of the new rules. It isn’t something that can be digested quick and easy and understandably so. The EU GDPR site is also a useful resource. As HR professionals, we hold responsibility for a large database of employee information. It will be interesting to see how this will seep into our systems and if we are truly as prepared to tackle progressive data protection regulations. What do you think?