For the last 2 years the EU, and subsequently the rest of the world, has been preparing for the implementation date of Europe’s biggest data security change in 20 years.
The General Data Protection Regulation (GDPR) is an EU directive, which has been approved by all EU states, will have a worldwide impact, affecting any company that collects or processes data from people who are currently within the EU.
Companies all over the world are preparing for the directive’s implementation, announced as the 25th of May 2018.
The GDPR will be creating a higher standard of data security that is updated for today’s data uses, and will provide internet users with more authority and control over their personal data.
The question is, who will it affect and will it affect us all the way in Egypt?
To know that, we have to understand what it is first.
How will it affect internet users?
Using the internet means we have had to consent some of our privacy to companies who handle websites. The most popular ones are social media sites such as Facebook, as well as search and mail engines such as Google.
These companies are privy to a lot of data, from IP addresses to home addresses, and even online and bank account passwords.
They also tend to supply third parties with information on their consumers, such as for advertisers. This is one of the many concerns that EU citizens have been discussing with the EU.
The GDPR is a solution to the public concern over personal privacy and how our information is used and shared.
The GDPR was created to provide a more secure standard in the protection of that data, and gives internet consumers a chance to rectify and/or erase certain data held by a company.
The new directive allows individuals to simply ask a company about the data they have on the individual, with no prior notice, and the company must provide the data in one month. The directive also includes consumer rights which can be separated into 5 categories.
- information notices
- subject access
- rectification and portability
- rights to object
- rights to erasure
- rights to restriction of processing, profiling and automated decision taking
This means that consumers now have a right to know when their information has been hacked, have the ability to correct and rectify certain information, be able to object to having data collected about them, and the right to erasure.
The right to erasure allows people to simply ask companies to delete the information that was obtained on them. Unfortunately, this is only applicable to data gathered while they were in any of the EU states.
From large organizations to small startups, individuals will now be able to control their personal data better than before.
How will it affect companies?
The new regulation will specifically affect companies that deal with data, focusing on data controllers and processors. It will also affect a wide range of companies all over Europe, and the world.
Data controllers are companies or individuals that determine how the personal data will be used, and how the data will be handled and processed. Data processors are individuals who process (obtaining, recording, or holding) the personal information on behalf of the data controller.
Unlike the previous Data Protection directive, which provided companies with some leeway to implement the regulations in their own way, the directive is directly binding and applicable to any company or individual that handles EU personal data.
There are many ways in which the GDPR will affect companies, all of which are stated in the 99 articles within the GDPR.
Here are the main points to keep track of.
IT and security teams will be become more important after the GDPR is in effect, as they must be bale to have more say in the decision-making processes of companies to ensure that data is secure, and that they continue to be GDPR compliant.
HR will also have an important role, as data does not only come from users, but from other staff members as well.
The UK’s Information Commissioner’s Office (ICO) has kindly prepared a guide for companies who are getting ready for the May deadline here.
Continue reading to learn how it could affect Egyptians.
How are giant internet companies Facebook and Google handling the change?
As companies who handle some of the world’s largest personal data databases, Google and Facebook have been public with their compliance of the new EU regulation.
Facebook has already created multiple pages on their website to provide information on how it is complying to the GDPR.
“Data protection is central to the Facebook companies” states Facebook in its GDPR page.
Facebook has already been revamping its security efforts for years, so it’s no surprise they are already ahead of the compliance requirements of the GDPR.
The company, along with its other Facebook companies such as Instagram and WhatsApp, sees itself as a both a controller and a processor. (Although they do state that in most cases they are controllers.)
For advertisers on the platforms, the company will act as a controller. Brands that use their platforms will be responsible for ensuring they are complying with the GDPR.
Facebook has also been offering tools for users who wish to use their right to access. Users can download all the data that the company has on them, as well as correct any data they believe is incorrect.
In order to protect people’s and business’s data, Google stated that “We proactively ask third parties to review our product controls against international standards…– so you know your business’s data is handled responsibly.”
They have also stated that they are updating their agreements to “reflect the obligations of controllers and processors and offer data-processing agreements where required in time for May 2018…”
They’ve also created a PDF explaining more about their commitment to complying to the GDPR.
So, how does it affect us all the way here?
Although the GDPR is an European regulation, its effects can be felt globally. Anyone that handles EU businesses’, resident’s or even citizen’s data must comply with the regulation.
For Egyptian companies, it is important to decide whether you are doing/will have business within the EU region. Companies that simply have a website that can be opened within the EU, or are advertising online, may already be subject to the GDPR.
To clarify, if you collect any type of data from someone who is at the time of collection within EU borders, you will be subject to the GDPR requirements. If the EU citizen is outside of EU borders, then you’ll be ok.
Marketing surveys, or any survey, is applicable under the GDPR.
Generic marketing does not. Websites that are from countries outside the EU, and are not directly targeting EU citizens or businesses, are not subject to the GDPR, even if opened by EU residents.
However, if the website is in/has the language of the targeted user, have references to EU users and/or have a domain suffix such as .nl (Netherlands) or .fr (France) will be under the GDPR eye.
Companies that work in the hospitality, travel, e-commerce and software services should check their online marketing efforts in case.
Usually, we enjoy a certain level of flexibility as we are far away from the EU, but the EU-EGYPT PARTNERSHIP PRIORITIES 2017-2020 does state in part two of the ‘Egypt’s Sustainable Modern Economy and Social Development’ section, that the EU and Egypt have a “have a shared interest in reinforcing cooperation in foreign policy at the bilateral, regional and international levels.”
This could mean that Egyptian companies could be liable to the GDPR through this agreement, or that the Egyptian government may allow the fines that GDPR regulators may want to implement due to the agreement.
Either way, the GDPR is setting a precedent for countries around the world in data security and protection methods.
It is likely that we can see countries start to adopt this type of regulations/laws in many countries, although maybe not as soon for Egypt, and it will change how companies all over the world do business.