Since then, there has been little enforcement activity at the same time as many companies still come into compliance with GDPR. The new regulation, however, has already shifted the global focus on data protection to a new phase and spurred other governments to act on data privacy laws.
GDPR covers data protection and privacy standards for EU residents. Companies that transfer, process or maintain the data of EU residents must adhere to the new standards regardless of where the company comes into contact with the data. The GDPR replaces the old EU Data Protection Directive which had been the foundation of data privacy laws of EU member states since 1995.
In the few months since the GDPR has been enforced, complaints over violations have already been filed against several large tech companies including Google and Facebook. Companies are changing their policies on data privacy for not only EU users but all customers with a flurry of emails regarding new policies to users. Multiple companies and news organizations require EU users and sometimes non-EU users to accept privacy terms in line with GDPR to access content on the site. Finally, several other governments have moved on their own data privacy regulations.
Related: European Labour Authority to be Established by Year’s End
On 28 June, California was the first U.S. state to adopt comprehensive rules on the rights of consumers regarding control of their personal information. The California Consumer Privacy Act (CCPA) provides consumers in California with five general rights pertaining to the privacy of their personal information. Starting in 2020, Californians will have the ability to determine what information of theirs is being collected, what information is being sold or revealed to third parties, access their information, prevent the sale of their data and control their data without repercussions. The new rules take effect on 1 January 2020.
Companies and their vendors that transfer, process or maintain the data of EU or California residents, including transferees residing in the EU or California, must be in compliance with the new requirements or face potential fines.
In India, on 27 July, an Indian government committee released the Personal Data Protection Bill of 2018 based on the ruling by the Indian Supreme Court that every individual has the right to data privacy. The draft bill follows many of the key provisions of GDPR including parameters for obtaining and using personal data. The bill would also direct companies to have a Data Protection Officer and require organizations to notify consumers of data breaches. The fine for violations are the higher of 2% of total annual gross revenue or approximately 620,000 euros as opposed to GDPR which is 4% or 20 million euro.
Even though GDPR has only been in effect for three months, it is having a global impact on the way companies operate and how governments think about data privacy. For more information about GDPR and data privacy, a GDPR update session is being held at the 2018 Global Workforce Symposium on Thursday, 18 October at 2:00 p.m. local time. Register today to join in!