From data privacy to mobile security: How Europe’s GDPR is overhauling the web
This article has been updated to reflect the GDPR deadline passing.
It’s no great secret that companies collect customer data. And that data is valuable. Used correctly, this data enables them to personalize user experiences — but as the recent Facebook data misuse scandal proved, in the wrong hands, personalization can quickly become unethical profiling.
Time reports that personal data for up to 87 million people — mostly US residents — was improperly shared with Cambridge Analytica, a political data firm hired by Trump’s election campaign. This scandal has generated a widespread debate on the ethics of user data privacy while underscoring the importance of data protection and mobile security.
Of course, this isn’t a new conversation, especially not in Europe. The European Union passed the General Data Protection Regulation (GDPR) two years ago, and it officially took effect on May 25, 2018.
How will these new regulations help prevent data breaches and ensure mobile security in the future?
Giving up control, taking responsibility
What exactly does the GDPR require of companies? In short, they must be more careful about how they gather and secure personal data from anyone residing in an EU country as well as be more transparent about how they use that data.
What does this look like in practice?
- Clear and concise privacy statements: Rather than asking users to read pages of fine print and legalese, companies must clearly and concisely explain what data is being collected, whether it will be used to create behavioral profiles and the purpose of any such profiles.
- Customer consent to gather personal data: Instead of placing the burden on users to opt out of personal data collection, companies must have them opt-in. Personal data includes anything that could be used to identify and track the behavior of an individual — including full name, mailing address, email address, IP address, location data or identifiers that track internet and app use on smartphones.
- Data transparency: Companies must enable users to access any data that is stored about them, correct inaccurate data and limit how that data is used. For example, social networks will be required to delete photos that users posted as minors at the user’s request, and they must instruct search engines and other websites to delete the photos as well. Users also have the right to transfer their data to another organization.
- Enhanced data security: The data that consumers do consent to share must be well-protected from hackers and other malicious threats. This will require companies to step up their enterprise and mobile security efforts to ensure that personal data is protected, whether that data resides on servers, in the cloud, in mobile apps or on company-owned mobile devices.
- Greater focus on mobile security: Leaky apps and unprotected BYO devices are no longer acceptable. It is estimated that 30 percent of organizations will face “significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements to protect personal data on mobile devices” by 2019.
Simply put, the GDPR helps consumers take control while insisting that companies take greater responsibility. The fines for GDPR violations are steep. For an upper-level infringement, an organization can expect to pay a fine of up to 4 percent of the organization’s annual revenue or €20 million — whichever is higher.
What the GDPR means for American consumers and mobile security
The GDPR only protects EU residents, but it applies to any company that does business with or monitors these individuals, which includes many American businesses. According to a recent survey of C-level executives from US companies, 92 percent considered GDPR compliance a top priority on their 2017 data privacy and security agendas.
American consumers will certainly benefit from security updates and enhancements that these organizations make, and many large tech companies are rolling out new privacy dashboards for all users, regardless of location. Still, companies are not required to give Americans and other international users the same data rights as EU residents.
In light of the recent Facebook data breach, many American citizens and lawmakers are calling for similar reform in the States. According to TechCrunch, Mark Zuckerberg hasn’t yet committed to universally implementing GDPR-related changes to the platform but has promised greater data transparency. During Zuckerberg’s recent Congressional hearing over the Cambridge Analytica scandal, USA Today reported that the Senate threatened government regulation if Facebook doesn’t fix its data problems.
When or how US laws will change is still up for debate, but one thing is certain: it’s a debate the world will be hearing about for quite some time.
GDPR is live. Now what?