The General Data Protection Regulation (GDPR) arrives on 25th May 2018. It is the latest and biggest shake-up of EU privacy regulation, and has many companies feeling a) confused b) worried or c) both.
The GDPR is designed to keep in-line with technology’s massive use of data. It is updating a 2002 European Directive ‘concerning the processing of personal data and the protection of privacy in the electronic communications center’. You know what else was released in 2002? Harry Potter and the Chamber of Secrets (FYI: the second movie in the series).
The GDPR is necessary. However, it is not to be feared — especially in Germany, where privacy is taken seriously and the Protection Act is already compliant.
Let’s break it down.
1. The new German Federal Protection Act will be stricter than GDPR
In April 2017, Germany passed their new Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG for short) in accordance with the GDPR. This updated act will also be enforced on 25th May 2018. Germany was one of the first EU countries take the Regulation on board, and parts of it were literally copied and pasted into the new German act, hence its early completion.
“The GDPR is closely related to the German privacy laws,” said Alex Krull, Senior Vice President of Sales at Webtrekk. “We have always had to change or delete data if a client or end user asked. Plus, Webtrekk already had the necessary documentation and transparency.”
In fact, the new act is stricter in some areas. For example, every German business with at least 10 employees processing personal data must appoint a Data Protection Officer. In comparison, the GDPR has no rule regarding number of employees — a DPO is only necessary if a company’s core is large scale data processing.
“For other European countries, the Regulation's data rules are very stringent,” said Krull. “However, Germany has always taken data privacy very seriously.”
2. Germany loves privacy
Germany and data privacy have had a long love affair. Just recently, the German government enforced privacy regulations with a social media giant. Instagram changed their terms of service in Germany after the Federation of German Consumer Organizations (vzbz) accused the social media platform of breaking the country’s data protection law. This is before the GDPR’s implementation!
“As the GDPR is closely related to the former German privacy law, it is easier for German companies to become GDPR compliant,” Krull said. That’s one way of putting it. While an optimistic 77% of UK companies believe they will be compliant by the time May 2018 rolls around, only 5% are ready now.
In terms of future data breaches, the numbers are not forgiving. 54% of UK companies expect a breach within the next 12 months. A massive 78% of French companies expect a breach, while only 46% of German companies do.
The German media’s reporting of the GDPR is another factor contributing to Germany’s acceptance of the regulation. It has been a hot topic in the press for roughly two years, with focus on the repercussions of breaches.
So, early awareness means early action!
3. The GDPR has its benefits
Underneath the vendor and publisher’s hysteria hides the benefits. The main one, of course, is that end users ultimately have greater control over their data and the companies who are storing it.
Potentially, this will lead to greater trust between company and customer. At the moment, a vast 70% of the European public are concerned about the use of their data i.e. it goes beyond original consent.
“In the past, there would be a website banner about cookie use which was very vague for users,” said Krull. “It usually meant 30 or 40 cookies were in use.”
The Regulation requires companies to be transparent and explicit regarding the collection and usage of users’ data. Instead of a long-winded privacy agreement (that no-one reads, ever) an option is to dissect privacy statements in accordance with the consent required; for example, if geolocation needs to be activated.
Obtaining user consent is a necessity in avoiding mishandling data. If a company suffers a data breach, 75% of customers say they would buy elsewhere. (Also, under the GDPR a breach is eligible for a fine. You know, the little €20 million mentioned earlier.)
“Companies who can claim GDPR compliance will stand out in the market,” said Krull. “It’s about building a reputation of being a secure company who customers can trust.”
The GDPR, the EU’s General Data Protection Regulation, comes into force on 25th May 2018. Companies operating in the EU will be expected to respect EU residents’ rights on personal data stored by these companies. This means that personal data must be protected, and users have the right to have their data altered or deleted.
This blog post looks at some actual GDPR text to see exactly what is (and isn't) about to change. Read it now.