What does the GDPR mean for business and consumer technology users

Billions of people have had their personal information breached and abused after entrusting it to companies online. The GDPR is the most ambitious regulatory effort to make sure this doesn’t keep happening.

If you think public trust in government is low, it’s nothing compared with the widespread distrust of online companies. One European Commission survey found that 92 percent of EU citizens are worried that mobile apps collect their data without their consent. And a majority believe companies are secretly misusing their data.

And they are correct. Companies have been quietly compiling their data for profit and influence. The Facebook-Cambridge Analytica scandal was just one prominent episode among a series of revelations in recent years. Uber, Google, Apple, and other companies large and small have systematically invaded the privacy of millions of people. And even where companies have been honest and transparent in their handling of data, their protection of data has been tragically flawed. Virtually every major corporation has suffered a data breach. Large leaks make the headlines, but small- and medium-sized enterprises are the preferred target of cyber criminals because their defenses are usually weaker. The rate of cyber attacks increases annually, with about 400 new threats every minute.

If the web is the Wild West, then the EU’s General Data Protection Regulation (GDPR) is the sheriff.

With the GDPR, the EU means to restore some of the same basic safety and privacy guarantees of the physical world to the digital world — like locks on doors, and accountability for negligence. Online organizations that do not protect the personal data of people in the EU face fines up to €20 million or 4 percent of global revenue, whichever is higher. The GDPR guarantees tech users certain rights, including control and access to their data, and even the right to request their data deleted. Organizations are now obliged to use security tools like encryption whenever possible to minimize the damage to users in the event of a data breach.

Taken together, the GDPR marks a new way of thinking about personal data: that it belongs to people and not companies. Though far from perfect, the law gives millions of Internet users (people in the EU, that is) more power to protect themselves than they had before. Here are some of the ways it does that:

Restore trust in the Internet

Users want to be able to trust services. Companies, and the market itself, depend on that trust. The GDPR installs a new, basic contract between the companies and the consumers.

A move toward end-to-end encryption

Most online services want access to your data. Some, like banks, actually need it in order to provide you their services. Others — mainly advertising-based companies like Google and Facebook — do not need to read your documents, searches, and emails but still do it because that is part of their business model. With the GDPR and its explicit nod to encryption, more companies will start implementing end-to-end encryption and zero-access encryption technologies. These security tools make data inaccessible to everyone except you, the data owner. That way, if there’s a hack like the one that exposed social security numbers on Equifax or emails on Yahoo!, only harmless, encrypted files will be lost.

Only ‘yes’ means yes

The GDPR clarifies the meaning of consent. From now on, no one is allowed to send you marketing emails or collect your personal information unless you explicitly grant permission. And those under 13 cannot consent without permission from their parent.

Policies that actually make sense

Before the GDPR, the privacy notices provided by companies on their websites were hopelessly vague and confusing. Carefully written by lawyers, they were often crafted to give the companies broader latitude in what they could do with your data. The GDPR flips that around, requiring organizations to give people easy-to-read and specific explanations of what they do with people’s information.

An online Bill of Rights

The GDPR gives EU citizens and residents eight guarantees and holds organizations responsible for facilitating them. These are the core user protections in the GDPR.

1. The right to be informed how personal data are used
2. The right of access to personal data organizations are holding
3. The right to correct personal data that’s inaccurate or incomplete
4. The right to request the deletion of personal data under certain circumstances
5. The right to restrict or pause the processing of data if there are irregularities
6. The right to have an organization send personal data it holds to other companies
7. The right to object to data processing
8. The right to protection from harmful automated decision-making processes

Accountability when something goes wrong

Twenty million euros. That’s how serious the EU is about data protection. It remains to be seen how the law will be enforced: Will regulators go easy on companies that break the law, or will they lay the hammer down? We will continue to monitor GDPR compliance and enforcement activity on this website. But however regulators handle violations, there’s something else the GDPR does: Article 82 gives people the right to compensation for material and non-material damages that result from violations of the regulation. So even if the state is reluctant to enforce the GDPR harshly, companies are still on the hook in the courts.

When we look back at the history of the Internet, we’ll see May 25, 2018, when the GDPR took effect, as a turning point. Before that date, irresponsible practices reigned: exploitation of personal information, Facebook controversies, mass data breaches on a regular basis. After that date, security and privacy will more often be companies’ default posture.