With recent congressional hearings over data privacy and breaches causing a stir in today’s headlines, the European Union (EU) is taking its first step toward changing the way data is handled with its new General Data Privacy Regulation (GDPR). This new regulation goes into effect May 25, 2018, and it not only affects businesses within the EU, but also any organization conducting international business or collecting data from data subjects within the EU.
These are just a few of the many changes in the GDPR:
• Businesses are required to rewrite their policies of consent in clear and simple language and place them on their websites in an easily accessible manner. This change is to do away with those lengthy term policies that many people tend to only skim through.
• Data subjects will have the right to receive the personal data that they have consented in releasing, and they can also send this information to other data collectors.
• A notification of a privacy breach must be issued from a business within 72 hours of becoming aware of a breach.
• Businesses must have proof of consent from users on their direct email marketing lists. If there is no obvious proof of consent, these businesses must resend consent forms. Any business, including businesses outside the EU, that collects data from EU users for email lists will be required to make these updates.
• Businesses must offer a Data Erasure option, so data subjects can opt out of data collection. The data subjects must always have the option to have their data completely erased and the spread of it discontinued.
The GDPR is the EU’s first change to data regulations in more than 20 years. The regulation is designed to standardize data privacy laws in the EU, protect citizens’ privacy against data breaches, and reshape the way Europe handles data privacy. Although there are no current plans for the United States to start changing regulations, the GDPR may serve as an example if or when the U.S. decides to tackle this issue.