The short answer is to protect users like you. As of spring of 2018 the General Data Protection Regulation, or GDPR, requires online service providers to be more transparent with consumers.
Company-to-consumer transparency is one of those things that, as a consumer, you’re generally not worried about until something bad happens. The GDPR overhaul aims to bridge that gap and upgrade the standards on which a user’s information and privacy are handled, whether in crisis or not. Across the globe, companies based out of the United States, European Union, Brazil, Australia, and more have made leaps and bounds toward protecting user privacy on a large-scale.
What is the General Data Protection Regulation?
Back in 2016, the European Parliament passed legislation to provide citizens with more control over their personal information and data. This legislation also required companies to safeguard the confidential data and privacy of European Union citizens for EU-based transactions.
Among the many changes brought on by the GDPR, there are five that truly changed the face of how companies and organizations handle user information.
1. Breach notification
2. Right to access
3. Privacy by design
4. Data portability
5. Right to be forgotten
These are all changes that better protect you. So, how does the GDPR work for you? Let’s break it down:
1. Breach notification: Article 33 of the General Data Protection details that an organization is required to report a data breach to an appropriate supervisory authority within 72 hours of becoming aware of it . This process requires data controllers and supervisory authorities to determine the impacted individuals of the breach, and what specific information may have been compromised.
If the company is dealing with a large-scale, high-risk data breach that puts user financial, identity, or other sensitive data at risk, they are required to notify affected individuals. They are also obligated to be clear and comprehensive when communicating an active situation with users. In fact, some countries require that proof of communication be provided to the data protection authority to ensure proper information is being disclosed.
2. Right to access: It’s hard to believe that this wasn’t stated within legislation before, but Article 15 of the GDPR officially states that users “shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data” .
As per Article 15, users have the right to access the following:
- The purpose of the processing
- The categories of the specific personal data
- The right to file a complaint with a supervisory authority
- The envisioned period of time in which the data will be stored
- The existence of automated decision-making and profiling
- The right to request rectification or erasure of personal data from the controller
3. Data protection by design and by default: Article 25 of the GDPR states that controllers responsible for application or website creation are required to prioritize user information protection . This mandates that user privacy and security be at the helm of the creation process, not a mere afterthought.
4. Data portability: Though data portability is a more complex concept, it’s an important one that gives users access to data concerning him or her provided by a controller through a structured, commonly used, and machine-readable format. Article 20 also permits users to transfer personal data from one controller to another .
5. Right to be forgotten: Think back to your earlier internet days where you thought posting embarrassing pictures or making less-than-savory email accounts was acceptable. In your adulthood, there’s nothing you want more than to make those nightmarish photos and accounts disappear.
Luckily the GDPR introduced a new right allowing individuals to have personal information permanently erased. Also known as the right to erasure, this right is not an absolute and is only applicable under certain circumstances.
Who does the GDPR affect?
You’re probably wondering how a European Union regulation can possibly affect you when you live on outside soil. But if you’re a Google, Facebook, Twitter, or Instagram user, the GDPR has already taken effect in your life.
The Right to Access provision  within the GDPR mandates that each listed company and all others in compliance must provide a record of all the collected data on you provided that you request it. In the case that you want or need a copy of all of that information, it is no longer inaccessible. In essence, the GDPR gives the average user far more privacy protection freedoms than in the past.
In the larger scheme of things, the GDPR most significantly affects businesses with online services. Since the 2016 passing of the GDPR, businesses were allotted 2 years to get their privacy and security policies in perfect alignment with the GDPR’s requirements. Falling below the GDPR compliance standard results in a hefty penalty; either 4% of the company’s annual global turnover, or a $26,421,980 fine (whichever is greater).
Across the board, the GDPR has lent itself to requiring companies and organizations to holding themselves to high standards when it comes to handling confidential user information. Though you may have felt a little annoyed to see your inbox filled with policy update emails, it’s the simple notification that already points the needle in the right direction.
Take Facebook for example: with over 2.32 billion users worldwide, the social media giant is home to one of the largest hubs of user information. From sharing your date of birth to photos from high school, the average Facebook user has absolutely no problem sharing their lives on the social media site. Though the focus is ultimately on sharing those moments with close friends and family, users often overlook the fact that Facebook also uses your information for other applications.
How information is collected and shared
When you sign up for Facebook, you’re asked to provide your name, gender, date of birth, email, and mobile phone number. This data alone can help Facebook better understand who you are, and what you will likely want to see. However, your online behavior is also tracked by Facebook.
Once you’re all signed up and logged in, Facebook will then collect and store data pertaining to:
- Additional personal information such as hometown, maiden name, current city, employment, political groups, alumni associations, main names, school, and other linked social networks.
- Every IP address that you use to log in to your account
- A complete activity log documenting “a list of your posts and activity, from today back to the very beginning. You’ll also see stories and photos you’ve been tagged in, as well as the connections you’ve made - like when you liked a Page or added someone as a friend.”
- All third-party applications that you intentionally or unintentionally link to your Facebook account. This includes everything from Uber, Airbnb, Candy Crush, Spotify, and more.
- All connected devices that you have used to access your Facebook account. This could be your smartwatch, smartphone, computer, tablet, or virtual assistants.
In essence, Facebook wants to understand exactly who you are, and uses a number of telling resources to collect the information needed to build and strengthen your profile.
- Partners who use their analytics services
- Partners offering food and services within Facebook
- Researchers and academics
- Measurement partners
- Law enforcement or legal requests
- People and accounts you choose to share and communicate with
- Third-party apps and websites that have Facebook integration
Giving users control over advertising
Before the GDPR, Facebook used any and all information provided to generate targeted ads. Since 2018, Facebook will now prompt users with an option to enable or disable targeted ads based on political, religious, and relationship information you provide. Though you won't be able to completely rid your timeline of advertisements, you’ll be able to modify what information is used to target you.
Across the board, when looking into newly updated privacy policies, be sure to assess them for those three key features that should be thoroughly detailed:
- How they collect your data
- How they use your data, particularly for advertising
- How transparent they are about your data
The GDPR was created to keep users like you informed and protected against corporate user information exploitation.
The future of online servicer privacy policies is one worth keeping an eye on. The day the GDPR went into effect, a number of U.S. news sites went down due to policy violations . This included high-profile sites such as the Chicago Tribune, the LA Times, the New York Daily News, and more.
The ambiguity surrounding the scope of the GDPR has been a cause for controversy and a definite roadblock for understanding what the future of the GDPR will look like. While it is an EU-based policy, online service providers based outside the EU who offer their services to EU users are forced to comply if they intend to keep their international reach.
Tackling internet privacy is a large task, but experts all agree that it is one that should be taken seriously. And as long as the internet exists, data will too. It’s a simple matter of regulation and enforcement that will shape how we share our information on the world wide web in the future.