This is the first of a three-part series which will explore the GDPR, its impact on social media platforms and the implications amongst the allied health, life sciences and research community.
On the 25th of May, 2018, the Internet is going to look a little bit different as the General Data Protection Regulation (GDPR) comes into effect across the European Union (EU). While the law is designed to protect EU citizens from privacy and data breaches, considering that the flow of information now takes place on an increasingly interconnected global stage, its impact will go beyond arbitrary geographical borders. The data protection law will not only affect transnational businesses and organisations, but local Australian ones too, in the realms of content creation, targeted marketing and the management of online communities.
What is the GDPR?
The GDPR will be one of the most robust data privacy and protection regulations in the world, which will affect how data is processed, collected and stored. It has been designed to fortify the safeguarding of user data, to simplify processes for both businesses and individuals, while ensuring data protection obligations and processes are uniform across the EU.
For businesses, it means greater legal certainty. Rather than catering to the different incumbent laws in different European countries, the GDPR will introduce a singular legal framework for the entire region. Simultaneously, the GDPR aims to encourage transparent data handling protocols amongst businesses to instil greater accountability.
More importantly, the law gives individuals the power to control how their data is shared and retained by private firms, allowing EU residents to interact with businesses and organisations online with greater confidence and trust.
What will change?
Ultimately, this legislation shifts the burden of data protection from the individual to businesses and organisations- with users needing to give their express consent for the use of any piece of their personal information. There will be a move towards the opt-in model, as opposed to the opt-out model. With this, businesses and organisations will be required to provide EU residents with clear, plain and easy-to-understand statements on how their data will be stored, processed or used.
Failure to comply can become costly, with the potential of a warning to lead to regular data audits to a fine of €20 million (over $AUD30 million) or 4% of annual global revenue, whichever is greater.
What type of data is covered by the law?
Virtually all data on every online platform from every individual residing in the EU is covered by the GDPR. This includes uniquely identifiable information, such as official identity documents, but also data such as IP, email and home addresses, physical device information, date of birth, and online financial information. The legislation also protects information about an individual’s religious, political and philosophical beliefs, sexuality and genetic or biometric data, such as fingerprints and DNA.
The breadth of the GDPR cannot be understated. Under the laws, user-generated content, from individual tweets to a Facebook post, is also protected. In addition to this, EU citizens will have the right to question or appeal how their personal information is presented by algorithms on social media platforms and search engines. The legislation was also designed to be technology-neutral, so it will apply to any new and emerging online platforms.
What can we do now?
The smartest move is to begin adopting the necessary procedural, legal and operational practices to comply with the GDPR now. In fact, the Office of the Australian Information Commissioner states that Australian businesses, no matter their size, may need to comply with the GDPR, ‘if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor behaviour of individuals in the EU.’ This encompasses business that offer worldwide shipping or organisations that have newsletter subscribers from within the EU. Regardless, not only is it just good practice, but it’s only a matter of time until Australia puts similar laws into place.
Part II of this series will explore how the GDPR will impact social media, while Part III will investigate how this law will affect the Australian medical and scientific community.