The recent Facebook incident of data misuse has awakened concerns regarding data safety. The U.K.-based political advertising firm Cambridge Analytica misused information of nearly 50 million Facebook users to help Donald Trump win over the White House. Though Facebook has not responded to this calamity yet, the issue of data safety has come into picture. Moreover, the massive breaches of data of Equifax and Yahoo had already raised concerns over safety of online data. Taking the increasing need of safety of online data into consideration, the European Union (EU) decided to deploy tougher regulations over how data collectors can collect data and information from users. EU has been designing new regulations to offer more control to users over their data. From May 25 this year, all EU countries will apply General Data Protection Regulation (GDPR). This regulation will apply new standards to holders of sensitive data. Any company which requests personal data from EU residents need to comply with these regulations.
According to GDPR, firms need to post clear notices and get consent from users to gather their data. There should not be any confusing terms and conditions that needs to be agreed upon while signing up. Moreover, it needs to be easier for customers to opt out as opt in. They will have a right to deny the usage of their data for marketing purposes. Users can get their data back after giving access and sell it to other businesses. Data collection on children below 16 years is banned without approval of their parents.
Any data that is considered under “personal data” such as credit card numbers, web search history, travel records, religious affiliations, and biometric data will be protected. However, public records, legal actions, and news articles are excluded from sensitive data category. The new regulation will not be applicable only to search engines, social networking sites, and online retailers. It will also be applicable to chat rooms, schools, property management companies, and others.
Companies and organizations having more than 250 employees need to recruit a data protection officer to ensure rules are followed. They also need to give training to employees and ensure audits comply with regulations. On the other hand, if a firm does not have 250 employees and need to collect large amount of sensitive data, it needs to hire data protection officer. If data breach occurs, electronic data collectors need to inform about it to authorities in 72 hours and customers in timely manner if there is a risk involved to them. So, the attempts to cover up data breach such as Uber’s data hack in 2016 and Yahoo’s breach in 2013 will be punishable offence.
Companies failing to comply with these regulations will have to pay fines of up to $12.4 million, or 2 percent of annual revenue across the world, whichever is higher. The negligence or violation of condition of consent can cost up to $24.8 million, or 4 percent of annual revenue across the world, whichever is higher. Moreover, people responsible for such incidents will face prison sentences. However, it is possible that the action taken against huge firms would be fought in court for years. The data safety has become the task of utmost importance as bad actors are keen to misuse data. It is interesting to see how the scenario changes when the regulation is practiced.