What is GDPR?
Europe’s General Data Protection Regulation (GDPR) is a new law on data privacy, designed to protect people’s rights and their personal information.
It’s important because for the first time ever, individuals will have the power to demand that a company reveals or deletes the personal data they hold, while regulators will be able to work together across the European Union, enforcing their decisions with serious penalties: The maximum fine will now reach either €20 million or 4 per cent of the company’s global turnover, whichever is higher.
This could potentially run in to the billions of euros for some firms.
When does it come in to effect?
May 25, 2018.
Who does it affect?
The law will cover people or companies either in the European Union (EU), or offering a service to persons in the EU, or monitoring the behaviour of persons in the EU. While this will encompass firms in every sector, experts say that technology firms, marketers, and the data brokers who connect them will be hardest hit.
And the law doesn’t just protect European residents or nationals. If you are an Indian business-person regularly travelling to Europe, for example, your data might also be protected under GDPR.
What does GDPR mean for me?
If you fall in to categories described above, then it means you will now be protected by the strongest data privacy laws in the world. You have the right to be forgotten, meaning you can demand the deletion of your name from websites, and you can also revoke your consent for data to be used by marketing firms and tech companies.
It will give you the power to challenge companies on how the use your personal information like never before.
Why am I getting so many emails from companies all of a sudden?
Depending on their legal advice, some companies have decided they need your explicit consent under GDPR to continue holding on to and using your personal data. These companies have been frantically emailing their customers or subscribers, telling them to “click here so we can stay in touch” or asking that they “agree to keep receiving emails from us.”
Others, however, believe they have a “legitimate interest” in keeping your data, and will therefore just be notifying of the changes to their terms and conditions.
Can I ignore the emails?
Of course. The worst case scenario is that you just hear from these companies less often, or you may stop hearing from them altogether, if they feel they don’t have the right to hold on to your data.
If this is a European law, why does it matter here in the UAE?
It matters because there are many companies in the UAE who operate in Europe, have European customers, or advertise online to Europeans, all of which would entail processing the data of people in Europe. This means that firms here, and around the world, need to ensure that if the rules of GDPR apply to them, they are compliant before May 25.
So UAE companies here could be liable to fines if they don’t comply?
In theory, yes.
How will that be enforceable?
It is unclear if those fines would be enforceable in the UAE, but any UAE company looking to do business (or already doing business) in the EU could be sanctioned in the European jurisdiction under which they are operating.
Will it work?
Experts say that remains to be seen, although they have praised the EU’s insistence that companies follow in the spirit of the law, as opposed to simply doing the bare minimum to be compliant.
This means, for example, not bamboozling customers with densely-written terms and agreements but being more upfront about what they are requesting your consent for.
What happens next?
Most likely a wave of legal challenges from individuals and companies alike, as the ambiguities in the regulation are hammered out in the courtrooms.
Companies will argue that their competitiveness is hampered by the law, whilst citizens are likely to argue for the strictest possible interpretation of GDPR in an era of Cambridge Analytica and mass violations of personal privacy.