Brexit, anti-establishment populism, divisive refugee policies… these are just a few of the issues driving a wedge between countries in the European Union at the moment. However, the General Data Protection Regulation (GDPR) is not one of them. In fact, the sweeping legislation governing personal data is being hailed by many as a far-reaching triumph for human rights.
GDPR goes live across the EU on Friday (May 25). The rules are designed to give people the right to know and control the information that companies and other institutions hold on them. It will affect every company around the world that has any contact with European consumers.
From now on, it will be the responsibility of companies—and companies up and down their data supply chains—to get consumers’ consent to hold their data, or face fines of up to 4% of global revenue.
The financial implication of breaking the new rules explains the recent deluge of serious-sounding emails that have clogged inboxes around the world with requests for consent to share your personal data. “GDPR” even rose above Beyoncé as a Google search term this week.
Getting 28 countries to agree on the fine print of the law took around six years. The actual concept dates back to the 2007 Lisbon Treaty, which introduced the right to data protection as a new human right.
“GDPR is intended to ensure that human rights are embedded inside commercial and state treatment of people’s data,” said Simon McGarr, director of Data Compliance Europe, a GDPR data protection consultancy. “This is different to the US, which does not take a human-rights based approach to data and indeed doesn’t even have a principle of data protection built into their systems.”
He noted that the EU has built up decades of case law on what is personal data. It also incorporates knowledge of Europe’s history, namely about how personal information was abused by totalitarian states, to inform how seriously it takes individuals’ human rights when it comes to information about them. “That’s not an experience shared by the United States, where data trading is actually a significant industry onto itself,” McGarr said.
Of course, it’s not just the lessons of history that have stoked people’s fears about how their data is used. A number of high-profile scandals, most recently with Facebook and Cambridge Analytica, have raised anxiety levels about how every move online can be harvested and traded.
Paul Jordan, European managing director of the International Association of Privacy Professionals, described the new legislation as a “game changer,” and believes it is one of the EU’s crowning achievements.
The law will not only force companies to tighten up the way they collect and use data, but could also turn better data-management practices into a feature of business models. “I think the smart companies are the companies who will not only see GDPR as a legal compliance requirement but also turn it into business enhancement,” Jordan said.
Despite all the grumbling about the new law’s reach and the cost of compliance, it could, Jordan added, encourage companies to build “a new trust paradigm with their customer base.”