Are you ready for GDPR?
Richard Hogg, global GDPR evangelist at IBM, discusses the progress, and lack of, being made by organizations in light of the upcoming GDPR enforcement date; how consumers might exercise their new rights; how AI and machine learning will help organizations comply and respond; and what job opportunities might exist as a result.
Designed to update the privacy rights of internet users and ensure organisations are transparent and responsible when handling the personal information of customers and clients, the European Union’s General Data Protection Regulation (GDPR) laws came into force on May 25 last year.
The legislation had been in the works for a number of years, but its introduction into law came as data privacy and consent were already topping the news agenda following episodes such as the Facebook and Cambridge Analytica data scandal.
GDPR was designed to protect EU citizens’ data, but the open nature of the web inevitably means it has an impact beyond its own shores. Even companies outside of the EU will often have to comply with the data protection legislation – for example, if they offer goods or services to EU citizens or if they have a branch somewhere within the trading bloc.
SEE: IT pro’s guide to GDPR compliance (free PDF)
This extended reach of GDPR has lead to some unexpected outcomes. One example: European internet users looking to visit some US-based news publications may find that they can’t view the websites – instead being met with pages explaining the publication didn’t comply with the new legislation and blocked them out instead.
Some eventually found solutions to this, while a year on from the legislation being introduced some US publications continue to only show a holding page to European visitors.
But beyond the flood of emails asking for your explicit consent to be marketed to, or the notices you see on websites warning of the presence of third-party cookies, there is a bigger shift taking place.
“To a large extent in the US, most users attribute GDPR with an influx of cookie notifications and see it as an annoyance, rather than what it is: an attempt by regulators to give the consumer a level of visibility and control over what data is being collected about them,” says Tim Mackey, senior technical evangelist at Synopsys.
But soon enough, even for businesses that have no involvement with the EU, there may be no hiding from data protection legislation as countries and regions around the world look to implement their own privacy laws, including Brazil, Japan, South Korea, India and others.
One of those is the home of Silicon Valley, California, which is set to introduce the California Consumer Privacy Act as of January 1 2020.
The legislation appears to have taken cues from GDPR when it comes to allowing individuals to have a greater say about how their personal data is used, but in many ways it doesn’t go nearly as far. The law doesn’t set a time limit for notifying consumers of a data breach like GDPR does and neither does it come with the prospect of fines for non-compliance.
However, even before new data protection legislation is introduced into different parts of the world, GDPR appears to be having some sort of effect on how some of the giants of Silicon Valley operate.
SEE: GDPR compliant? Here’s a handy five-step preparation checklist
Apple CEO Tim Cook has called for the US to introduce an equivalent to GDPR to prevent data being weaponised against users. Facebook CEO Mark Zuckerberg recently spoke about how privacy will be the future of Facebook – even although he admits himself that some may find that hard to believe.
Google also appears to be making changes to the way it operates – and that’s despite appealing a 50m fine issued to it by French data protection authorities after the company was found to be engaging in “forced consent” and lacking a sound legal basis for processing people’s data.
The web giant recently announced a new auto-delete feature which automatically deletes location, app and web history after either a three-month or 18-month period as opposed to requiring users to delete data manually.
While only a small step towards additional privacy, it’s possible that the introduction of GDPR has helped spur this change on, as companies like Google work to accommodate users becoming more aware about digital privacy.
“One of the outcomes of the Google fine was that Google had to begin making decisions around the structure of data collection and privacy management out of their Irish office and not just California,” says Mackey.
If there’s one thing which GDPR achieved, it is raising awareness about data privacy issues – even if that awareness only emerged after web users were inundated with emails asking for consent for their data to be processed in the run up to May 25 last year.
Related Topics:
Security TV
Data Management
CXO
Data Centers