As of 25 May 2018, the General Data Protection Regulation (GDPR) takes force. The GDPR is a European regulation that forces companies, foundations and institutions to track precisely what happens to the data of their clients or members. The adoption of this act is causing a lot of stress among companies. ‘But they've been obliged for years already to be aware of how they process data, and they should have been storing data securely for many years too.’

This month, the General Data Protection Regulation (GDPR) takes force. It is intended to prevent data misuse in future. A salient moment, as just a few weeks ago we discovered that Facebook had transferred the data of many millions of users to the Cambridge Analytica company. That firm then created profiles of people and used these to influence their voting behaviour. Some allege that Brexit and the election of Donald Trump as president may have been partially assisted by this Cambridge Analytica tactic.

Selling on personal information in this way is set to become much more difficult once the GDPR takes force. It requires companies to inform their customers about data use and transfer. And that applies to all data: if a sports association wants to give its members’ dates of birth to the bar, so that they are aware of who is of a legal age to be served alcohol, then they must first ask permission from their members.
 

SELLING E-MAIL ADDRESSES

The act will have an impact on a great many practices. All of a sudden, every business is now required to explain what it does with the data. Sometimes the data is processed by an external company, and sometimes the information is shared with a sister company. And what about an e-mail address that you often have to enter for free things online? That may no longer be sold on to advertising agencies that then send spam.

No wonder many small organisations are very concerned. Associations that are run by volunteers often lack the money or time to dig into their entire data network and streamline it. In early April, it became clear that thousands of sports clubs were nowhere near ready for the GDPR. If everything's not in order by 25 May, many clubs will be facing a fine.
 

GOODWILL

But it's unlikely to come to that. ‘Small businesses don't usually have complex data. If your customer or member information is in good order, then you probably don't need to worry. What's more, for sports clubs and suchlike, there is a certain degree of goodwill’, says Ms Rachel Marbus, Privacy Officer at KPN. ‘Large companies on the other hand are going to struggle, including those with many customers who buy all sorts of different products from different departments. They have to map all that complexity.’

Marbus knows what she is talking about, as being a telecom provider KPN has a complex customer database. ‘Although we don’t sell our customer information, we do have to know where the data ends up.’ For that reason, the company started putting together a data processing register, in which each change to or transfer of data was automatically registered. This means the company always knows precisely where a customer's information is. ‘If he or she then submits a request for deletion or wants to take that data to a new provider, we can find all the information fast.’

 

MAXIMUM FINES

For companies that use the data for trading, such as Facebook and other social media, the GDPR could very quickly become complicated. In theory, every time they sell or process data, they would have to ask the user for permission.
However, there is a way out: if data processing has a ‘legitimate interest’, then explicit permission is not required. A legitimate interest means that the information serves a purpose that is part of the functionality of the business model. European regulators have previously designated data collection for advertising purposes as a legitimate interest.

However, they now say that the large-scale collection of data is such a breach of privacy that the interest of the citizen should come before that of the company. But how that will work out in practice is still anybody's guess. The risks for Facebook and similar companies are huge: the maximum fines under the new GDPR are 20 million euros or 4% of net worldwide annual sales. In Facebook's case, that last amount would be counted in billions.

No coincidence then that Facebook announced new privacy options earlier this year. After the scandals around data usage, the company will want to comply without delay. CEO Mark Zuckerberg stated that GDPR-proof privacy rules will be implemented for all European users. But he was no more specific than that.

 

MILLENNIUM BUG

So for the data giants, the GDPR could cause problems. For smaller companies with less understanding of privacy law, the Dutch Data Protection Authority (DPA) has an extensive website with checklists and tips. If all companies keep to the new rules, citizens will gain greater control over their information thanks to the GDPR. ‘And that means they can make more informed choices: soon everyone will be able to actively determine whether and how their data is used’, says Marbus.

Finally, Marbus advises people to remain calm. ‘Sometimes the panic surrounding the GDPR is reminiscent of the millennium bug. Because the new regulation is about to take force, everyone is suddenly concerned. But companies in Europe have been obliged for years already to be aware of how they process data and they should have been storing data securely for many years too. The new rules mainly ensure that the systems become tighter, but it's not the end of the world.’

If you found this article interesting, subscribe for free to our weekly newsletter!

Image: TheDigitalArtist/Pixabay