Contribution by Carmen Cornejo
Years before the Cambridge Analytical scandal, the European Union (EU) planned reinforcing data privacy online and ambitiously set the date of May 25th, 2018 for companies’ compliance.
This new standard enhances and creates new individual rights. As you can imagine, these efforts by the EU are a big deal and the adoption is making headlines in the tech and legal world and the intersection of both.
But most of the companies and even regulators belonging to the EU are not yet ready for the General Data Protection Regulation or GDPR.
The GDPR was adopted in 2016 after years of deliberation and it is a set of rules with a list of requirements that include transparency about data collection (what data is being collected and why) and mandates the reporting of data breaches to regulators within 72 hours of the event, among other mandates.
Most companies have miserably failed to accomplish the benchmark established by the implementation on GDPR.
Experts calculate that half of the companies operating in the EU were not compliant by the deadline and are still working on adopting the GDPR standards.
With the set of rules established by GDPR agreements, it is likely Cambridge Analytics’ operation would not have happened in a country member of the EU.
One of the most important requirements of GDPR is called the data subject access request. EU residents have the right to request access to review personal information gathered by companies and have it changed, deleted, corrected or delivered.
And that revolutionary requirement is making the companies sweat.
Companies are having a hard time to comply with this requirement since information can be spread in many servers and different formats. An important factor for compliance is setting up internal infrastructures so these requests can be responded and fulfilled.
GDPR also involves the response to the personal data request from some different data points that may be a little ambiguous, making absolute compliance almost impossible according to experts.
There are significant penalties for non-compliance.
GDPR applies to European Union companies and users, but American companies are affected since many conduct businesses in the EU. However Americans outside of Europe can’t make data subject access requests, and they can’t demand that their data be deleted.
Think this does not affect you? Even if a company does not have a business presence or physical presence in Europe, they may be hauled into European jurisdiction simply by the availability of their websites in Europe or to European citizens or residents.
To consult on these and other business and technology issues, please contact Marcos E. Garciaacosta Esq. via twitter at @iplawmarcos.