The EU’s GDPR and Privacy Policy Changes

In the last few weeks, many companies have been sending out emails with the following message: “We’ve updated our privacy policy.”

The reason for the abundance of such messages is the General Data Protection Regulation, also known as the GDPR. In 2016, the European Union enacted the GDPR, a sweeping data-protection law, but the EU included a two-year grace period for companies to reach compliance. Now, two years later on May 25, 2018 the EU has begun to enforce their privacy law.

What does the GDPR actually do? The GDPR is forcing companies—everybody from multinationals to small restaurants—to list how they gather and process personal data and to give individuals new or expanded rights to their data. For example, companies need to delete data as soon as it is no longer needed, and individuals will have the right to see, correct, or delete personal information about themselves. What are the consequences of not complying with the GDPR? Companies will lose 4% of their global revenue or $23.4 million, whichever is larger. While the GDPR is exclusive to the EU, because any data that involve individuals in the EU is supposed to be protected, even companies that are not located in Europe have opted to make global changes to their privacy policies.

Even with the two-year grace period, many companies have struggled to reach full compliance by May 25. According to a Capgemini SE survey of 1,000 businesses in March and April, only half of businesses said they were even “largely compliant” at that time; new surveys also suggest 60-85% of companies did not expect to be compliant by May 25. Similarly, companies have been citing heavy expenditures to make the deadline.

Privacy advocates have given the GDPR widespread approval; at the same time, others are wary of what seems like excessive regulation. The law has certainly inspired new discussion about privacy and data, but as to whether it will inspire other countries to enact similar changes is unknown.