When companies offer their goods and services, they need to gather some data from consumers, whether it is purely for their own business or the consumer’s benefit. Regardless of the intention of the companies handling this data, the consumers need to be able to trust the corporations with their data and to protect their data from being used maliciously, there need to be certain consumer protection laws in place.
The General Data Protection Regulation (GDPR) was formed in 2016 for this exact reason. This regulation was succeeded by the 1995 EU Data Protection Directive, and it dictates how any company operating within the EU will handle and process any consumer data, personal or otherwise.
In this content piece, we will look at the GDPR legislation and how it helps consumers gain more autonomy over their data or privacy.
What is the GDPR?
The GDPR legislation was put forth by the European Union (EU), formed in 2016, and the EU member states were given a maximum of two years to implement the law across their countries. The GDPR both protects the rights of all EU consumers, as well as provides them with more control over the data collected and processed by an organization.
Any organization that collects, manages, and processes the data of EU consumers—regardless of where it is located—has to comply with this regulation.
Does the GDPR apply to the United States?
While the US does have its consumer protection laws, it does not give as much autonomy to consumers as the GDPR legislation does. The law most closely equivalent to GDPR is the California Consumer Privacy Act (CCPA). Different states enact different laws, such as the California Privacy Rights Act (CPRA), Consumer Data Protection Act (CDPA), and the Colorado Privacy Act (CPA).
Here is a useful comparison table for each of these varied acts.
However, the GDPR can still apply to many US companies and organizations as long as they serve customers in the EU. The GDPR applies to any organization regardless of where they are based if they serve any EU consumers. That is one of the reasons the GDPR is often looked at as one of the landmark laws for EU consumers in protecting consumer privacy and data.
What does the GDPR do to provide consumer protection?
The GDPR has seven key principles by which companies need to abide, which are:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Each of these principles, in order, denotes that:
- Consumer data collection and process does not break any laws, does not have any bias towards or against an individual, and operates with complete transparency. Under this principle, users need to know all the types of data collected by an organization.
- Purpose limitation denotes that organizations do not use any data beyond their initial purpose, with a few exceptions. These exceptions are defined, such as archiving, adding to statistical data, or serving public or scientific interests.
- Data minimization refers to organizations only collecting the necessary data. For example, a site with no login has no use for a phone number, and should not collect such data.
- Accuracy refers to all data being up to date, and any older data being scrubbed.
- The storage limitation is similar to the purpose limitation, in that data should not be stored after use unless used for the exceptional purposes outlined in the second principle.
- Integrity and confidentiality refer to storing the data with adequate protections, encryptions, and security measures to prevent leakage, loss, damage, etc.
- Lastly, accountability means that the organization controlling the data is solely responsible for handling and processing data, and should take accountability for it.
What are the consumer rights under GDPR?
Consumers also are given certain protection measures which they can exercise as part of the directive to give them more autonomy. These are:
- Right to be informed
- Right of access to data
- Right to rectify any errors in the data
- Right to erasure of data
- Right to restrict processing of data
- Right to data portability
- Right to object
Consumers, companies, and their employees, all need to be informed about the GDPR legislation and the various rights and responsibilities each party has under this law. Data for more than 100 million accounts were leaked in the third quarter of 2022 alone, with cybersecurity companies getting more and more concerned over user data breaches, especially since more companies opt for requiring email access, payment information, and other private user data.
Organizations need to have employees provided with adequate GDPR awareness training to be better informed about the legislation and help minimize these types of breaches, from improved data storage and encryption to better processing methodologies.
Here, we have discussed what the GDPR is for, and how it helps consumers protect their rights. Overall, raising awareness about GDPR is important for both companies and individuals, as it helps to ensure that personal data is handled and processed in a way that is compliant with the regulation and respects the rights of individuals.
Interesting Related Article: “74% of UK consumers consider brand values before purchasing“