Tomorrow, the General Data Protection Regulation (GDPR) goes into effect in the member states of the European Union, in what may be the most extensive piece of data privacy legislation thus far in the history of data legislation. Aimed at empowering EU citizens with greater control over their digital identities as well as harmonizing data privacy guidelines across the continent, the GDPR imposes new rules on local and international companies and organizations alike that store and process data on European citizens, including those citizens outside of the EU. Consequently, the global data science community is alight with talk of how the new laws will affect businesses, data scientists, and data subjects. Here are a few things everybody in the data science space should know about the new regulations:
After Mark Zuckberg’s recent testimony to EU leaders, and a generally heightened interest amongst policymakers and the public about data privacy, it would seem like auspicious timing for such sweeping new legislation like GDPR. The roots of the GDPR however, date back at least to 2012, when an early iteration was first discussed by the European Commission.
Mark Zuckberg next to Antonio Tajani, President of the European Parliament. Image source: euractiv.com
Over the past two decades, Europe has led the rest of the world on matters of data protection and privacy, having established the Article 29 Working Data Protection Working Party in the mid-90s. Still, over the years policymakers have struggled to keep up with the blazing pace at which data has become a part of business and everyday life – from the rise of social media to the recent revolution in AI and machine learning.
Among the most formidable challenges in this initiative has been standardizing regulations across the EU member states. Each state has historically different approaches to data protection and privacy. Working to align the various approaches into a concise agreement might be seen by some to be one of the greater achievements of the GDPR. As such, the GDPR represents a culmination of decades worth of grappling with the growth of data technologies and accompanying concerns over privacy and fair use.
GDPR is complicated. Really complicated. Some experts have questioned whether or not full compliance with its 99 articles across 11 chapters is even possible. Meanwhile, startups have emerged with the sole purpose of aiding transitions to compliance, with big players like IBM offering consulting services in this domain. In plain English, here are a few of the most significant elements of the new regulations:
- GDPR applies to any file or database containing a person’s name, ID, or other types of personal data that could be conceivably used to identify a person within a larger group. And it doesn’t matter where the data is stored or where its owner is located – if the data is about an EU citizen then the data record must adhere to the GDPR.
- GDPR offers data subjects (i.e. EU citizens) an unprecedented level of access and control over personal data. People can ask companies to delete their data if there’s no binding legal reason to keep it. They can also opt out of ‘profiling’ systems that filter or tailor information that the organizations collect about their users. More generally, data subjects can opt out entirely from machine-made determinations about themselves. Businesses generally have approximately 30 days to respond to data subject requests.
- GDPR requires organizations to inform users in the event of a data breach ‘without undue delay.’ In most cases, this means reporting any breaches in less than 72 hours. This new regulation means that a majority of businesses must make preparations for reporting under these newly enforced circumstances.
- Failure to comply with GDPR rules could result in fines of up to a staggering 20 million euros, or 4% of a company’s global turnover – whichever is greater. For companies like Google and Amazon, that 4% figure could entail fines in the billions of dollars.
Elements of the GDPR were motivated by the experience of past legal battles between the EU and Google, culminating in a fine of $2.7 billion on the search giant in 2017. Image source: nola.com
Given the complexity of GDPR, it’s not surprising that many organizations that store or process EU citizen data are struggling to understand what it means for them and how they need to shift or renovate business strategies to compile effectively. Frighteningly, though, recent surveys indicate that as many as half of organizations affected will not be compliant by the May 25th deadline, with a significant number of companies outside of the EU completely unaware that the new legislation will affect them. The problem is likely most severe among startups and small businesses who lack the legal or financial resources to reach compliance. It remains unclear how strictly the regulations will be imposed, as well as how soon they’ll be fully enforced.
In the aftermath of recent breaches and leaks such as the Facebook Cambridge Analytica Scandal and the Equifax breach, the data world and its participants have faced increased scrutiny from policymakers and the general public over privacy and protection. The future success of the data and AI industries will require new efforts centered around improved security and transparency that aim at allaying widespread fears about misuse.
In as much as GDPR will cause confusion and unpleasantry in the near term, it may ultimately be remembered as a growing pain in the early days of a world-transforming data and AI revolution. Depending on the success of GDPR, policymakers in the US and elsewhere may seek to follow Europe’s lead. For now, the data world can expect a wild ride.