What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don't specifically market goods or services to EU residents.
The GDPR mandates that EU visitors be given a number of data disclosures. The site must also take steps to facilitate such EU consumer rights as timely notification in the event of personal data being breached. Adopted in April 2016, the Regulation came into full effect in May 2018, after a two-year transition period.
Customer-Service Requirements of the GDPR
Under the rules, visitors must be notified of data the site collects from them and explicitly consent to that information-gathering, by clicking on an Agree button or other action. (This requirement largely explains the ubiquitous presence of disclosures that sites collect "cookies"—small files that hold personal information such as site settings and preferences.)
Sites must also notify visitors in a timely way if any of their personal data held by the site is breached. These EU requirements may be more stringent than those required in the jurisdiction in which the site is located.
Also mandated is an assessment of the site's data security, and whether a dedicated data-protection officer (DPO) needs to be hired or an existing staffer can carry out this function.
Information on how to contact the DPO and other relevant staffers must be accessible so that visitors may exercise their EU data rights, which also include the ability to have their presence on the site erased, among other measures. (Naturally, the site must also add staff and other resources to be capable of carrying out such requests.)
Other Rules and Mandates of the General Data Protection Regulation (GDPR)
As further protection for consumers, the GDPR also calls for any personally identifiable information (PII) that sites collect to be either anonymized (rendered anonymous, as the term implies) or pseudonymized (with the consumer's identity replaced with a pseudonym). The pseudonymization of data allows firms to do some more extensive data analysis, such as assessing average debt ratios of its customers in a particular region—a calculation that might otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan.
The GDPR affects data beyond that collected from customers. Most notably, perhaps, the regulation applies to the human resources' records of employees.
Controversies Associated With the GDPR
The GDPR has attracted criticism in some quarters. The requirement to appoint DPOs, or simply to assess the need for them, some say, imposes an undue administrative burden on some companies. Some also complain that the guidelines are too vague on how best to deal with employee data.
In addition, data cannot be transferred to another country outside the EU, unless the receiving company guarantees the same degree of protection as the EU requires. This has led to complaints about costly disruption to business practices.
There's further concern that the costs associated with GDPR will increase over time, in part because of the escalating need to educate customers and employees alike about data protection threats and remedies. There's also skepticism over how feasibly data protection agencies across the EU and beyond can align their enforcement and interpretation of the regulations, and so assure a level playing field as the GDPR goes into fuller effect.