Even when people are not entering credit card information into a website, we are constantly sharing personal information such as our address, email, work history, computers’ IP address, comments, or social media photos. The question becomes, how do we protect citizens’ right to privacy in the digital age? This is not a new concern, but definitely a growing one. As early as 1980 there was the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was supported by both the United States and Europe. In 1995 the EU made additional updates and passed the Directive 95/46/EC. The downside to this directive was that it required individual countries to meet certain standards but did not tell them how to get to the desired result. In response to more information being passed via the internet and smart technology, the EU passed the General Data Protection Regulation (GDPR) in 2016. This regulation will officially be enforced on May 25th, 2018. It is meant to help streamline policy, enhance individuals’ choice to share and protect their information, and ensure companies are upholding their duty to safeguard users’ personal data.
What Does The GDPR Enforce?
The GDPR does not change the core of what was stated in the 1995 directive, which is that humans have a fundamental right to privacy. However, there are some key updates that companies should be aware of including:
- This regulation does not just affect companies within the EU. It also applies to any company handling personal information that belongs to an EU citizen. It is applicable even if there is no financial transaction.
- A company must use clear, non-legal language when asking for consent from a user. Furthermore, consent must be asked for each individual usage of their data and cannot be bundled together into one agreement clause.
- Users must be asked to opt-in to providing personal information instead of being asked to actively opt-out. It must also be easy for a user to withdraw consent at a later time.
- If there is a data breach, companies must notify users within 72 hours.
- To maintain transparency, people should be allowed to obtain how and where their information is being used.
- Companies must only keep individuals’ personal data for as long as it is relevant and then must take steps to erase it.
- With GDPR, companies must now made data protection a priority from the beginning instead of making accommodations for it after setting their website up. This is also known in the security field as privacy by design.
- For public authorities, organizations that engage in large-scale data monitoring, and organizations that engage in large-scale processing of personal data, there is an additional requirement that they designate a Data Protection Officer (DPO).
How Can Northwest Media Collective Help?
At Northwest Media Collective we work with companies from the very beginning and ensure you are following best practices for privacy by design. If you are selling to customers we will make sure the website is set up so that they feel comfortable providing their method of payment and that is remains secure in your hands. Even after your website is live and functioning we can continue to help with security. EU’s GDPR does not lay out any large-scale changes, it just enforces what practices should already be followed to protect individuals’ right to privacy. That being said, there are large fines for companies that don’t comply as of May, 2018, so it is worth familiarizing yourself to the regulation.