The major basis for the new rules are that consumers own and have control of their own data and companies can only use data if there is at least one lawful basis for doing do. This includes:
- A consumer gives specific permission to use personal data for one or more specific purposes;
- Processing the data is necessary to meet a contractual arrangement with a consumer;
- Processing the data is necessary to meet a legal obligation which applies to the consumer;
- Processing is necessary to protect the vital interests of the consumer or some other natural person;
- Processing is allowed for the performance of a task carried out in the public interest, such as by the government;
- Processing is necessary to pursue legitimate interests of the data controller or a third party.
For the most part the new laws require consumers to give explicit consent to use their data, including the specific purpose for the use. Just like in the US, there are provisions for law enforcement to gain access to customer data through subpoena or court order.
Larger companies are expected to create the position of Data Protection Officer who is tasked to make sure that all parts of a company are compliant with the law. As you might expect, meeting these requirements is a major change for many companies and there has been a two-year transition period leading up to the May implementation.
The new law also changes the way that companies store customer data to minimize the impact of data breaches. For example, companies are encouraged to store data in such a way that the stored data cannot be attributed to a specific person without the use of additional data. The law calls this pseudonymisation which means encrypting stored data and storing it in a manner to make it hard for an outsider to use. For example, a company would not store things like a social security number, date of birth, address and email address all in the same record.
The law has teeth and allows for fines up to 4% of the worldwide revenues of a business for massive violations of the rules. The expectation is that there will probably have to be a few serious fines levied to get most companies to get serious about following the new rules.
Overall this law creates a drastic change in the handling of customer data. Companies will not be allowed to mine and sell customer data without specific customer approval. It seems to particularly discourage the practice of selling data to brokers who can then use the data in any manner they choose. In this country companies like Google and Facebook make huge revenues from data mining and the big ISPs are now leaping into this same business line. In Europe this is going to greatly restrict the value of selling customer data.
This new law is worth following since the big web companies that are so predominant in this country are going to be complying with the new rules. This means it would be relatively easy at some point to require similar rules here concerning customer data.
The GDPR data storage rules also have the purpose of limiting the value of data breaches. If we see a great reduction in damaging hacking in the EU because of this law, then companies here might begin following the EU recommended data storage methods even if the privacy rules are never implemented here. Some of the most damaging hacks we’ve seen here are when a hacker gets records that provide multiple data points for a given customer. If a hacker can’t use the data to put together a coherent picture of a given customer then the value of a breach is greatly reduced.