The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the
collection and processing of personal information from individuals who live in the European Union
(EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all
sites that attract European visitors, even if they don't specifically market goods or services to EU
residents.
The GDPR mandates that EU visitors be given a number of data disclosures. The site must also take
steps to facilitate such EU consumer rights as a timely notification in the event of personal data
being breached. Adopted in April 2016, the Regulation came into full effect in May 2018, after a
two-year transition period.
Customer-Service Requirements of the GDPR
Under the rules, visitors must be notified of data the site collects from them and explicitly consent
to that information-gathering, by clicking on an Agree button or other action.[1] (This requirement
largely explains the ubiquitous presence of disclosures that sites collect "cookies"—small files that
hold personal information such as site settings and preferences.)
Sites must also notify visitors in a timely way if any of their personal data held by the site is
breached.[2]. These EU requirements may be more stringent than those required in the
jurisdiction in
which the site is located.
Also mandated is an assessment of the site's data security, and whether a dedicated data protection officer (DPO)
needs to be hired or an existing staffer can carry out this function.[3]
Information on how to contact the DPO and other relevant staffers must be accessible so that visitors may exercise
their EU data rights, which also include the ability to have their presence on the site erased, among other
measures.[4] (Naturally, the site must also add staff and other resources to be capable of carrying out
such requests.)
Other Rules and Mandates of the General Data Protection Regulation (GDPR)
As further protection for consumers, the GDPR also calls for any personally identifiable information (PII) that sites
collect to be either anonymized (rendered anonymous, as the term implies) or pseudonymized (with the consumer's
identity replaced with a pseudonym).[5] The pseudonymization of data allows firms to do some more extensive
data
analysis, such as assessing average debt ratios of its customers in a particular region—a calculation that might
otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan.
The GDPR affects data beyond that collected from customers. Most notably, perhaps, the regulation applies to the
human resources' records of employees.[6]
Controversies Associated With the GDPR
The GDPR has attracted criticism in some quarters. The requirement to appoint DPOs, or simply to assess the need for
them, some say, imposes an undue administrative burden on some companies. Some also complain that the guidelines are
too vague on how best to deal with employee data.
In addition, data cannot be transferred to another country outside the EU, unless the receiving company guarantees
the same degree of protection as the EU requires. This has led to complaints about costly disruption to business
practices.
There's a further concern that the costs associated with GDPR will increase over time, in part because of the
escalating need to educate customers and employees alike about data protection threats and solutions. There's also
skepticism over how feasibly data protection agencies across the EU and beyond can align their enforcement and
interpretation of the regulations, and so assure a level playing field as the GDPR goes into fuller effect.