You must have come across the term GDPR at least once in your tech career. It may or may not affect your company directly but the changes have been felt across the industry over the years.
In this post, I will try to present a high-level view about why GDPR matters to individuals and what liabilities it brings to tech companies. This post will not be covering the common GDPR terminology that comes across in conversations.
Let’s start with a user-scenario:
Abby is a social person and uses a popular social networking site to stay connected with everyone. In the past, she had posted a lot of content publicly, but now wants to limit access to a few friends and delete some unwanted content from her past.
Sadly, this social networking site says it does not have the ability to update or delete content once posted. Suddenly, Abby finds herself with no control over the data that she chose to post publicly at some point in her life.
In this process, she lost some part of her privacy to a social networking site.
As we see, Abby is in a helpless situation. She cannot physically edit or delete her data from their website. There might be many just like Abby, who are left at the mercy of tech companies to manage their identities. If user privacy is not a concern for companies, they might not bother to solve such issues for individual users. There is no one to hold them accountable.
With this user-scenario in mind, let’s jump and check the definition of GDPR -
GDPR stands for “General Data Protection Regulation”. As the name states, it is a data protection regulation. It is a legal framework aimed at providing control of personal data to the individuals themselves. This regulation applies to anyone handling personal data of users from the EU and EEA region.
Coming back to our example, let’s assume Abby belongs to EU or EEA region. Any company handling her personal data, must comply with GDPR. The company might be located in Europe, Asia, America, Australia — GDPR applies to them. This EU regulation has now empowered Abby, our protagonist. Here are some rights of data subjects (in our case Abby) listed under GDPR:
- Right of Access
- Right of Rectification and Erasure
- Right to be Forgotten
- Restriction of Processing
- Right of Data Portability
- Right to Object
- Right to Object to Direct Marketing
As you can see, Abby now has the right to access her data, she can choose to rectify or erase her data from the social networking site. The company has to enable and provide her the means to manage her data. Any violation or denial of these rights would attract hefty fines and I quote:
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to
10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
These hefty fines make everyone stand up and take data protection seriously. The most expensive fine at the time of writing this post is — Google, with a whopping £44m GDPR fine over ads.
I stumbled upon an interesting website that tracks these fines. You can check it out here — https://www.privacyaffairs.com/gdpr-fines/
EU-GDPR is just one step towards end users getting more control over their data. On these lines, many countries and states have started implementing their own versions of data protection acts like CCPA (California Consumer Protection Act), LGPD (Lei Geral de Proteção de Dados) which is considered as Brazil’s own version of GDPR etc.
Whether you are an end-user or an engineer or someone running a tech company — I hope this post gives you a peek into the world of GDPR and why it matters so much to companies.
Note: There are a bunch of other important terms in GDPR like PII, Consent, Data Processors, Data Controllers, adequate technical safeguards etc which aren’t covered in this blog post. Without an understanding of these terms, the introduction to GDPR cannot be considered complete.
Thank you for reaching this point! :)