Multinationals will be required to better guard personal information under the new GDPR privacy rules.
With revelations that the political advertising company Cambridge Analytica mined millions of Facebook accounts without users’ consent, Facebook Inc. may be subject to a British investigation that could lead to fines as high as GBP500,000 ($700,000), according to a recent report by Bloomberg.
In the US Facebook faces potential sanctions, however in Europe the timing benefits the company significantly. Had the scandal taken place two months from now, it might have been covered by a new European law that allows penalties as high as four per cent of a company’s global revenue, or in Facebook’s case, more than $1.5 billion.
The European Union’s General Data Protection Regulation (GDPR), which has been a decade in the making and takes effect on 25 May 2018, applies to any business that handles the personal data of European residents, anything that can be linked to an individual: addresses, credit card numbers, travel records, religion, web search history, computer ID codes, biometric data, and more. “GDPR holds companies of all sizes to account,” Facebook Chief Operating Officer Sheryl Sandberg said at a January conference in Brussels, before the Cambridge Analytica leak was revealed. The law will affect almost everyone, she said, because businesses “all use data to improve their services,” Bloomberg said in their report.
According to global consultancy, EY, the world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with GDPR, and businesses must appoint someone in the EU as liaison with regulators, and many larger companies are required to designate a data protection officer who will be responsible for compliance.
Companies outside Europe have been slow to acknowledge that GDPR affects them as well, and researcher Gartner estimates that more than half the companies affected by GDPR won’t be compliant by the end of the year, partly because a number of the provisions remain unclear, such as the difference between “consent” and the “explicit consent” GDPR requires for sensitive data such as criminal records.
While companies can claim a “legitimate interest” in data that outweighs privacy concerns, there’s conflict over what that means—whether it includes data needed for targeted online ads, signals broadcast by Wi-Fi routers, or medical results collected to improve health care.
Under GDPR, companies may collect only data needed for immediate purposes rather than simply acquiring information in the hope to make money from later. Larger businesses must keep records of the data they hold, why they have it, how long they’ll keep it, and how they protect it. Furthermore, GDPR grants consumers the right to see the personal data an organization holds about them, and they have a “right to erasure,” meaning they can ask that the business delete it, for almost any reason. If anything is lost, destroyed, or stolen—whether via a hack or by accident—businesses have 72 hours to inform regulators.