GDPR is on its way and it means a lot
The EU Parliament approved GDPR on 14 April 2016 after four long years of preparation and debate. The day of its enforcement is scheduled to be on 25th of May 2018. After this deadline all organizations in non-compliance will face heavy fines. The General Data Protection Regulation is designed to harmonize data privacy laws across Europe. GDPR is relevant to all organizations housing or recording EU individuals or companies data. Stakes are high especially concerning anti-hacking struggle but risks are many due to the inherent business limiting factor of such a decision.
Stakes are high
With the daily use of social networks, of online administrative services, of web-based banking services and the uprising of IoT our data are everywhere. GDPR states that private data are all the informations that can be directly or indirectly used to identify a physical or identifiable person with an identifier, a name, an id-number, localization data and an online identifier. This includes specific physical, physiological, genetical, psychical, economical, cultural or social identity elements. With GDPR the processing of personal data is generally forbidden unless expressly authorized by the concerned identifiable person.
GDPR was mainly elaborated to solve two problems. Identify theft is now a real concern to almost all human beings. This is a social, moral and financial matter that is endangering society as a whole. It now represents billions of financial losses every year and a it is a real threat to national security of all countries. GDPR is also a way to regulate more efficiently the use of personal data. These last years have seen the emergence of data-centered companies misbehaviors. If identity is to be part of commercial stakes it has to be regulated.
Risks of this decision are many
GDPR will raise many concerns, especially for companies which rely on heavy data-centric operations to fuel their business activities. The recent Faceook / Cambridge Analytica scandal is a perfect illustration of the types of illegal activities that GDPR is entitled to prevent. First of all the new rule states that the processing of personal data is generally forbidden if it is not expressly allowed by law or if the impacted persons have not consented to processing these data. It signs the end of massive collection of customers data through commercial landing pages and other data collection schemes. This could endanger the actual uprising of AI recommendation tools and all automated marketing activities which depend on them.
Second, “Privacy by Design” and “Privacy by Default” are GDPR in-built schemes that will force software companies to fully change the way they design their products, especially if they are to be used online. This will mean more investments and much more complex work for programmers. Final digital products will surely become more expensive. These two main issues are not, by far, the only ones. Common Email marketing efficiency will be crippled by prohibition with opt-in permission. The right to be forgotten, which derives from the case Google Spain v Agencia Española de Protección de Datos in 2014, is now codified. Very substantial fines will be assessed in non-compliance. We can be sure that GAFAs will now think twice before investing massively in Europe. From this point of view GDPR could be equated to the US extraterritorial laws which are a threat to OMC.