While speaking to a cybersecurity expert about the Cambridge Analytica scandal a few months ago, I was treated to a free piece of wisdom – “nothing in this world comes for free, and if you aren’t paying for something in cash, chances are that the price is actually higher.”
The idea of user data as currency has gained credence over the last few years as it has become clearer that vanilla advertising is not the only way that the Googles and Facebooks of the world are looking to make money.
Billions of people have handed over small pieces of personal information to these companies, blissfully unaware of how much that amounts to – and that’s what makes the Europe’s General Data Protection Regulation (GDPR )so important.
The GDPR isn’t a brand new piece of legislation. It was passed 2 years ago, and companies were given time until the 25
th of May, 2018 – or this Friday – to become compliant.
Simply put, it aims to give internet users more control over their personal data, while simultaneously making tech companies that collect this data more accountable.
European citizens will be able to access their personal data that is stored by companies, and ask exactly how it is being used.
Citizens will also be able to ask companies to delete this data, not just from their own servers but also from any third-party company that accessed this data through those servers.
If companies are changing how they use data they have already collected, they will have to explicitly ask users for their consent through simple-to-understand consent forms. In simple terms, if you don’t like what a company is using your data for, you can ask them to delete it.
Companies who don’t comply could be in for serious consequences, as a breach of GDPR guidelines can lead to fines of up to 20 million Euros (160 crore rupees), or 4% of their global turnover, whichever is higher.
Not taking data protection seriously could do enough financial damage to impede a company’s operations. Companies that manage a large amount of data will also have to hire a dedicated Data Protection Officer to ensure that they are compliant with GDPR norms.
While GDPR will only apply to European companies or companies with access to the data of European citizens, the impact is likely to be more widespread as other countries adopt principles from GDPR in their own data protection laws.
What’s more, global technology giants are likely to comply with these norms on a global level, in anticipation of this becoming a global trend. As for India, which does not have a dedicated data protection law yet, when legislators look for a benchmark to base their new law on, GDPR might be the simplest answer.While the GDPR is the EU’s way of ensuring greater transparency in data collection from a regulatory standpoint, the greater challenge will be citizens using this framework effectively to monitor and control the use of their personal data. Signs are heartening, at least if an Economist report is to be believed – while Google searches for “privacy” have declined about 50% since 2004, searches are at a 12-year high post the Cambridge Analytica scandal – so while EU authorities may not have factored this in when they passed the bill 2 years ago, it’s a gift they will likely be thankful for.