What Does GDPR Mean?
GDPR has been in place since May 2018, and people are now asking, “What does GDPR mean?” Some are simply looking for a definition: GDPR stands for the General Data Protection Regulation. It is the world’s strictest data privacy law at this time, expanding the rights of EU citizens and holding businesses accountable for data privacy mishaps.
But the question is a bit bigger than this simple definition. Replace “meaning” with the word “impact” and you shift your thinking when you ask what GDPR means. In fact, it’s more than a series of rules for businesses to follow and financial consequences when they don’t. It is a response to consumer concerns about the direction of doing business and sharing information digitally. And the meaning of the law is different, depending on the perspective from which you view it.
What Does GDPR Mean to Consumers?
For individuals GDPR means freedom and control with respect to their personally identifiable information. The General Data Protection Regulation specifies a series of rights that individuals have over their data. People now have the right to:
Data consent. To be told that data is being collected and expressly give permission for this to happen.
Data access. To know what data has been collected and what’s happening with it.
Data portability. To move their data from one system to another.
Data correction. To request data mistakes be corrected.
Data erasure. To have their data deleted from a system.
While these rights are practical, they also signify a cultural shift. People are becoming less willing to simply hand over important information about themselves without clearly understanding when, where and how it will be used. By specifying these rights, GDPR means that consumers are becoming more knowledgeable about data usage and the related issues that could ensue if their privacy is violated.
What Does GDPR Mean to Businesses?
Of course, GDPR does not simply provide rights to consumers. It also specifies how businesses must behave in order to protect consumer rights with regard to data privacy. Businesses must:
Request consent. With few exceptions, companies must request express permission before data can be collected or processed.
Protect data. Called pseudonymization, GDPR states that personal data must be stored in such a way that it cannot be traced back to a specific individual.
Keep records. Companies must document and make available upon request details about data processing activities.
Begin with data protection in mind. As systems are designed, data protection must be taken into account.
Quickly communicate security breaches. Data breaches and the loss of personal data must be reported within 72 hours of being identified.
Evaluate vendors and service providers. No longer are businesses only responsible for their own actions. Instead, if businesses are sharing data with third parties, they must also verify that the third party complies with GDPR guidelines.
Implement a data protection officer. In some cases companies must work with an independent expert who oversees compliance with the regulations.
But again, consider the impact of GDPR and not only what it outlines. In addition to strengthening information security efforts and tightening controls on data usage, businesses must think about how increased data control might shift or change how they operate – how they approach marketing, sales, recruitment, vendor relations and more.