GDPR: Lessons From the World’s Strictest Data Privacy Law
According to the European Union, “The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU…The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.”
Don’t have tens or hundreds of millions to pay in fines? Make sure you understand the GDPR basics, its principles, and how it’s expected to impact international data exchanges.
How it Started…
For years, big tech companies have been accused of misusing our data and leaving sensitive consumer information vulnerable. Five years ago, Europe said “enough” and took action to protect the privacy of its 740 million citizens – and anyone who does business with the EU.
Allegations were broad but serious, claiming companies like Meta (formerly Facebook) and the like targeted and collected people’s data without their explicit consent.
Considering just how much information these and other tech giants have on us, complying with GDPR is more complicated for some organizations than others.
“One recent internal Facebook document obtained by Motherboard hints that the company doesn’t really know what it does with your data—an assertion Facebook denied at the time,” explains WIRED Magazine. “Equally, a WIRED and Reveal joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data.”
The 7 Principles of GDPR
At its core, GDPR is founded upon seven key principles, all of which build on components of the UK’s 1998 Data Protection Act.
1) lawfulness, fairness and transparency;
2) purpose limitation;
3) data minimization;
4) accuracy;
5) storage limitation;
6) integrity and confidentiality (security); and
7) accountability. Accountability is new to data protection regulations
Each of the seven privacy tenets extend to organizations who engage with EU citizen data, and underscore the ethics of how that data is to be processed. While compliance is mandatory and strictly enforced, these expectations serve as guides not hard-and-fast rules.
Why it Matters for Businesses Worldwide
If you do business online, there’s a strong chance you’re beholden to GDPR regulations. Even outside the EU, everyone from school institutions to eCommerce companies have had to make significant investments to ensure compliance.
By some estimates, 88% of companies have spent more than $1 million to maintain GDPR compliance, while nearly 40% have spent $10+ million.
If companies are shelling out millions to ensure compliance, that tells you something about the cost of the penalties associated with being out of compliance.
To date, Meta has faced more than $410 million in fines relating to their non-compliant advertising methods.
But the total costs amount to more than just the monetary. Reduced resources and increased regulations are thought to be a factor in the number of apps that do or don’t get created. “Nearly one‐third fewer apps [have] entered the app store market in Europe than would have been expected,” according to the CATO Institute.
2023 Predictions with Data Processing Between Countries
Without data protection measures like GDPR, transferring data internationally would be chaotic and lawless. Still, that doesn’t mean it can’t be improved.
In fact, the impending EU-US Data Privacy Framework, which is expected to be instated by summer 2023, will aim to make data processing easier for these two regions. However, interstate and federal regulations in the US will still require companies to do their due diligence to ensure all security and privacy laws are taken into account.
For example, GDPR.org advises orgs to closely watch new initiatives like the Data Act. “This will regulate the unlawful processing of data that is created by the Internet of Things. Also worth noting is the Artificial Intelligence Act, which will include standard contractual clauses for supervisory authorities over data generated by AI.”
For now, abiding by the strictest interpretation of GDPR law and planning ahead for supplemental regulations that may be enacted is a good way to insulate your business from costly noncompliance.