Recently Facebook's founder, Mark Zuckerberg, stated that he was going to subject his company to the standards of the new European data protection regulation that will be in force from May 25th, the GDPR (General Data Protection Regulation) But, what impact will this legislation have on a technology company like Facebook? And on others?
Facebook's data security issues have been another argument in favor of the application of the new European legislation, to date the most rigorous in the world for companies managing their customers’ personal data.
In 2016, the data economy in Europe was worth almost €300 billion, close to 2% of the EU's GDP. In 2020, it will be worth €739 billion, 4% of GDP, according to European Commission data. The number of businesses working with data will also see an increase: up to 359,050 in 2020 from 255,000 in 2016 according to a European Data Market study.
From May 25, 2018, in general, all companies that operate in Europe and handle personal data, in any sector and regardless of their country of origin, will have to be transparent about how they collect, process, and keep this data. A study by IAPP and EY estimates that the world’s leading 500 companies will spend $7.8 billion to comply with GDPR.
Legislation to (better) protect personal data
With respect to companies, GDPR widens the reach of the previous European data protection regulation in three crucial aspects: Firstly, going forward, consent given by the data owner must be explicit, informed, and able to be revoked at any time.
Additionally, customers can ask companies to provide them with all their data in a suitable format, and if the customer desires, he will subsequently be able to provide this data to a different company by exercising what is known as the right to data portability.
For companies accustomed to gathering and dealing with large volumes of data, the new regulation will involve establishing a new way of interacting with their customers when it comes to personal data. GDPR requires companies to make fundamental and wide-reaching changes such as the way they organize personal data. Some of the more immediate and visible changes will occur by merely redefining Terms of Service.
GDPR also introduces two new concepts: “privacy by design” — privacy designed into offered products or services — and “privacy by default” meaning that data protection options have to be set at the highest level by default.
Secondly, GDPR's penalties are severe. The maximum fine for an infraction is set at 4% of a company's global invoicing or $20 million, the higher of the two.
Thirdly, GDPR introduces another change: the principle of a company's active responsibility, better known as accountability, which obligates companies to implement internal processes and collect evidence to demonstrate compliance with the law.
GDPR's application in Spain
Despite the fact that GDPR is a European law, meaning that its immediate fulfillment is obligatory for EU member states, the door is open to adaptations in line with local legislation so that it is more fully embraced by the local population. In Spain, this entails a new “Organic Data Protection Law” (LOPD), that in all likelihood will not be in force until the end of 2018.
The new LOPD defines the conditions that makes it compulsory for some types of companies, such as credit entities, to designate a Data Protection Officer (DPO) or other data protection representative. The DPO’s responsibilities, among others, include: advise the company on regulatory compliance, control and supervise the company's adoption and implementation of the necessary measures to guarantee compliance, and interact directly with data owners about any complaints or suits they may lodge.
In anticipation of this legislation, BBVA has already instituted the DPO role. “This legislation is a step forward in the protection of consumer data. At BBVA, we are already well into its implementation.” explains the bank's Data Protection Officer, Flora Egea.
Spanish companies are already taking measures to prepare themselves for the imminent arrival of GDPR. A recent study by International Data Corporation (IDC) in collaboration with Microsoft, estimates that Spanish organizations will invest €140 million in 2018 to modify their processes and systems, 44% more than in 2017.