All You Need to Know About GDPR, the New Data Law

While regulations and laws are usually lengthy, boring and full of complex jargon, a few of them are important to understand as they may directly or indirectly impact your regular life. One such key regulation that will take effect on May 25, 2018, is the General Data Protection Regulation (GDPR). This article serves as a quick guide to help readers understand its implications.

In a nutshell, GDPR is legislation aimed at giving the end consumer the right to control their data. While it is implemented in the European Union (EU), it has far-reaching consequences for major technology firms that operate globally. They include the likes of Meta (FB), formerly Facebook, and Alphabet Inc.’s Google (GOOGL) – companies that hold massive troves of user data and utilize it for earning their revenue.

GDPR Basics 

GDPR stands for General Data Protection Regulation, a law approved in April 2016. It supersedes an earlier law called the Data Protection Directive and is aimed at standardizing the rules across the entire EU region. GDPR allowed companies two years to comply with the necessary changes.

As more and more companies, especially those in the technology sector, continue to gather heaps of users' personal data, the control and management of user data ultimately lies in the hands of these companies. It then becomes prone to use (and misuse) of the companies, their employees, and vulnerable to hacks. GDPR attempts to give consumers the control of their personal data . The ruling will also be applicable to companies which are based outside of the EU, but offer products and/or services to EU customers. This is the reason why global companies are concerned and are mandated to comply with the regulation.

The Intricacies of GDPR

At present, one needs to simply click the “I Agree” button on a webpage that is full of complex and open-ended jargon. It is not only vague and difficult to understand, but also allows companies to seek user consent for whatever they wish. For instance, purchasing a toy from an e-commerce portal may entail sharing one' delivery address and phone number, but hidden underneath the long list of terms and conditions may be a condition that allows the portal to share those details with marketers.

GDPR is set to change all that. It will make it difficult for the companies to use vague, unfair and confusing language to have the user agree to whatever they wish.

At present, there is no clarity about how a company handles a user’s data if a user withdraws from their services. For instance, there are concerns that even if a user deletes a social media account, the company may retain their details forever. GDPR offers the much needed “right to be forgotten,” which means the company, as well as any other affiliated entities using your data, will be required to erase it from their records.

GDPR also provides for easy withdrawal of consent at any point in time. For underage users, those under 16, eligible guardian(s) will have to provide consent on their behalf for data collection.

Users will also be able to know the precise data points being stored, and where and how is the company using them. GDPR allows for data portability – that is, users can take their data and move it to another provider. A possible implementation of such data portability is when a user wishes to move from Google Plus to Facebook, or from one online rental service to the other, making the process easier.

Any data breaches will now have to be reported to the concerned authorities within 72 hours of the company becoming aware of it. Similarly, users will also need to be informed of any such breach without any undue delay. At present, with no clarity on the timeline of intimation, many companies hit by hacking attempts and data stealth keep the incidents hidden forever.

Impact on Businesses

The regulation stipulates monetary fines in case GDPR laws are breached. A firm can be imposed a fine of up to 4 percent of its total global turnover in case of any GDPR violations, with a minimum set at 20 million euros (around $24.5 million). With major tech firms having revenues in billions, any violations will cast a big impact.

As the two-year implementation period is almost over and the go-live deadline is coming to a close, individuals are already seeing a flurry of notifications in their inbox from various service providers about the updated policy changes. Among the major firms, Facebook has released a few privacy oriented tools and Google has updated its policy across variety of its services. (See also, Employee's Facebook Stalking Raises Questions.)

Barclays believes that most likely to impact social networks more than any other technology stream. Though it does not perceive any major impact on ad revenues, it believes that a drop in users is imminent. "We think there is a risk that reported MAUs (monthly average users) could drop off for Facebook and Twitter starting in late 2Q. DAUs (daily average users) are far more important and less of a GDPR concern for the social networks, but may also drop off a bit," Barclays analysts told CNBC. (See also, More Data Breaches Likely, Facebook Warns.)

Take the Next Step to Invest
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.