GDPR – What is it? Why should I care? - 5 ways in which GDPR empowers the Internet savvy users

“GDPR,” the latest 2018 buzzword, is about to significantly change the way online businesses manage user information. GDPR stands for “EU General Data Protection Regulation” and it goes into effect on May 25th, 2018. GDPR is considered to be the most dramatic privacy law regulation in last 20 years. Under the tenets of “lawfulness, fairness and transparency,”[1] GDPR will empower EU users by providing them substantial control over their personal data shared with the businesses. In less than two weeks, companies doing business with EU, that do not adhere to the GDPR requirements will be heavily fined. In this article, “companies” refer to the online businesses that collect a user’s personal data. Below are 5 ways in which GDPR has shifted the control of sensitive personal data from companies to the users:

1. Company’s location is immaterial.

A company that processes the personal data of an EU user must abide by the GDPR requirements, regardless of whether the company is located in EU or not, and regardless of whether the company processes a user’s personal data in EU or not. In other words, a US company that processes data of an EU user in EU or US is bound by the GDPR.

2. “Terms and Conditions” must be clear and concise.

GDPR ends the practice of intricately filling the “Terms and Conditions” section of privacy policy with legal mumbo jumbo, making it difficult for the layman to comprehend. GDPR demands a succinct privacy policy, which is transparent, clear, and easily accessible to the user. A user can now consent to the terms of a contract with a better understanding of what it entails.

3. Users have ease of accessibility under the GDPR.

While it would seem obvious to most that “personal data belongs to the person,” the reality is far from it. However, under GDPR, users now have a right to know if their personal data is being processed, where is it being processed, and for what purpose is it being processed. If requested, the company must provide this information to the user free of charge. Companies must process only the required data and also take measures to prevent accessibility of personal data by third parties.

4. Companies cannot retain a user’s personal data indefinitely.

Under the Data Erasure clause of the GDPR[2], the user can demand that a company erase his/her personal data, prevent a company from distributing the personal data, and can put a stop on processing of their personal data.

5. Companies risk being fined for violating GDPR requirements.

If a company violates GDPR requirements, it risks being fined through a tiered approach, the evaluation of which would occur on a case by case basis. For instance, Article 83(4) of the GDPR provides a fine of either 10 million EUR or up to 2 % of the total worldwide annual turnover for failure to meet obligations to the users, while Article 83(5) of the GDPR imposes a higher fine of 20 million EUR or up to 4 % of the total worldwide annual turnover for more severe violations.[3]

GDPR legalizes the notion that “personal data belongs to the person.” This regulation not only benefits the EU users, but is advantageous to all the users worldwide, as companies such as Google and Facebook, have already universally updated their privacy policies. We will have to wait and see when the rest of the world incorporates this notion of a transparent privacy policy into its legal system, but in the meantime, consider how you can avoid jeopardy.

Written By:

Mansi Parikh

Attorney at Law; Chair of IP Group

Schumann Hanlon Margulies LLC

(E) mparikh@shdlaw.com;

(T) (201) 451-1400

[1] https://gdpr-info.eu/art-5-gdpr/

[2] https://gdpr-info.eu/art-17-gdpr/

[3] https://gdpr-info.eu/art-83-gdpr/

Disclaimer: This Blog/Web Site is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Web Site publisher. The Blog/Web Site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.