What is GDPR? GDPR Review, Features

The General Data Protection Regulation (GDPR) is a regulation of the European Union, which was passed by the European Parliament and the European Council in April 2016 and came into force in May 2018. GDPR sets new standards for companies in collecting, storing, protecting and using user data; on the other hand, it also gives users greater processing rights for their own data. The purpose of GDPR is to curb the abuse of personal information and protect personal privacy.

About GDPR

·GDPR stipulates the rights enjoyed by all EU citizens in their digital lives. Its predecessor was the Data Protection Directive, which came into effect in 1995. Most of the GDPR provisions are inherited from it, and the GDPR will replace the old regulations after it comes into effect. In the EU legal system, directives and regulations are two different forms: directives are not directly applicable to member states, and member states need to convert them into their domestic laws on their own. Member states have a certain degree of discretion in the conversion process; regulations have direct applicability to member states. In Europe, and in fact, in the world at present, GDPR is the most complete and strict privacy protection regulation.

GDPR is a "regulation" within the EU legal framework. It has been passed by the European Parliament (lower house) and the European Council (upper house) and can be directly implemented in EU member states without the need for approval by national parliaments. Currently, the EU has 28 member states, with approximately 500 million people who can be directly protected by GDPR. It is worth mentioning that although the UK has started the Brexit process, it has also approved GDPR and will also officially implement it from May 25.

According to GDPR, companies must obtain users’ consent when collecting, storing, and using personal information, and users have absolute control over their personal data.

Reasons for the new regulations

1. Provide EU citizens with more rights to use their personal data;

2. Strengthen trust between digital service providers and the people they serve;

3. Provide a clear legal framework for businesses, eliminating any regional differences by creating uniform laws across the EU single market.

Influence

1. GDPR is the most comprehensive global data privacy protection regulation to date and officially came into effect on May 25, 2018.

2. Any organization that processes personal data of European citizens must comply with the regulation.

3. Failure to comply with GDPR notification obligations may result in a fine of up to €10 million or 2% of global annual turnover (whichever is higher). Failure to comply with the regulator's order may result in a fine of up to €20 million or 4% of global annual turnover (whichever is higher).

Applicable geographical scope

1. GDPR applies to organizations with an establishment in the EU, as long as they process personal data in the course of their establishment’s activities in the EU (regardless of whether such processing actually takes place in the EU).

2. If an organization does not have a business establishment in the EU but processes personal data of individuals in the EU, and such processing is related to the provision of goods or services to individuals in the EU, regardless of whether such goods or services are charged, the GDPR should also apply.

3. GDPR applies to non-EU organizations processing personal data of individuals in the EU, as long as such processing involves monitoring the behavior of those individuals and the processing takes place in the EU.

GDPR is perfect and strict

1. Enterprise part

(1) First, before collecting users’ personal information, companies must explain to users in a “concise, transparent and understandable form, in clear and plain language”: what information about users will be collected; how the collected information will be stored; how the stored information will be used; and the company’s contact information. In other words, the previous practice of using vague and confusing statements to trick users into agreeing to data collection is no longer allowed. In this context, “personal information” refers to any information that can identify a user, such as IP, email address, user name, etc.

(2) Secondly, the penalties under GDPR are very high, high enough to attract the attention of all companies. The maximum fine for each violation is 4% of the company's annual turnover, or 20 million euros, whichever is greater.

2. User part

(1) Overview: As consumers, users enjoy various rights with the implementation of GDPR.

(2) Rights enjoyed:

①Right to access data: Users have the right to ask the company whether their personal information is being processed. If it is being processed, they can then learn: the purpose of the processing; the type of relevant data; the information of the data recipient; if the subject is the data recipient, they can inquire about the source of the data.

②Right to be forgotten: Users have the right to request companies to delete their personal data. When the data has been disclosed to a third party, users can then request them to delete the relevant data.

③Right to restrict processing: Users have the right to prohibit companies from using information for specific purposes, such as prohibiting companies from using it for vertical marketing. If you recently searched for products with the keyword "craft beer" on a shopping website, the website's recommended information flow or other sites that have cooperated with the website may recommend similar "craft beer" to you. We can now ask the company not to disclose this to other companies, and even ask the company itself not to use this for any marketing activities.

④Right to data portability: Simply put, when a user wants to leave a platform, he or she can ask the platform to provide the data generated by the user on the platform to the user in a formatted, machine-processable format.

Consumer benefits

1. More privacy: Companies are required to collect and process only the personal data required for specific purposes and take measures to protect personal data.

2. Personal data is safer: With stricter rules on the collection and processing of personal data, there will be fewer chances of data breaches.

3. Better control over their shopping experience: Consumers can decide in advance whether they want to receive marketing emails from businesses or whether to allow websites to track their behavior for analysis and remarketing.

How Businesses Can Respond to GDPR

1. Content preparation: The company’s GDPR description text should be clear and unambiguous.

(1) The company’s internal “service agreement” and “privacy terms” need to be adjusted accordingly to GDPR, and a rule document suitable for the company’s own situation should be formulated.

(2) Clearly and unambiguously indicate the data that the company will collect, how it will be used, and the rights that users have to grant or revoke consent.

(3) Ensure that the product has multiple language versions and do not use language differences to ambiguously stipulate and obtain user consent.

2. New users: clearly inform users of their rights and interests at the form entrance.

(1) Set up a clear user notification window at all data collection entrances such as subscription and registration.

(2) The location should be eye-catching and the content should be clear and concise.

(3) There may be an automatic check box for mandatory consent, and the user can only use the service after obtaining the user's subjective consent.

3. Existing members: Users complete the authorization independently.

(1) The authorization page does not check the content that the user authorizes by default. The user needs to check it and then click "Authorize".

(4) After GDPR officially comes into effect, you can check the "Exclusion Group" box on the email sending interface to stop sending emails to unauthorized users.

4. Existing members: You are allowed to revoke permission or modify authorization at any time.

(1) For users who have not clearly responded to whether to authorize, as well as users who have already authorized, an obvious revocation of permission mark must be set in each subsequent email push.

(2) Allow users to cancel authorization at any time.

(3) Allow users to modify their personal information at any time.

How to do social media marketing (or advertising)

1. Under GDPR, if you want to use customer data or track their behavior for advertising purposes, you must obtain a legal basis for doing so. That is, you must obtain the customer's explicit consent.

2. You must give your customers a free and real choice to accept or decline (and allow easy withdrawal of their consent).

3. You must explain what data about your customers will be collected and how it will be used. The request for consent must be in clear and simple language that is easy for customers to understand. The user's lack of active response does not constitute consent. Your customers must take action. (For example, pre-checking a consent box is not allowed.)

4. As the requirements for obtaining consent are very strict, it is best to refer directly to the relevant regulations and contact your legal advisor. Many social media advertising features include using customer data uploaded by you, collecting personal data or tracking user behavior on your website. If you are involved in the above behavior, it will be useful to further research what actions to take.

Impact on related companies

Google and Facebook received lawsuits from the EU for fines of 3.9 billion euros and 3.7 billion euros respectively on the day GDPR came into effect. Apple, Amazon, LinkedIn and other companies also faced lawsuits filed by privacy regulators. After GDPR came into effect, the servers of many American media websites such as the Chicago Times and the Los Angeles Times in Europe were shut down.

·WeChat overseas version, Sina Weibo international version and many other Internet companies updated their privacy policies for European users and requested re-authorization. QQ stopped some international version services and will launch a new version, prompting users to upgrade. Air China and China Eastern Airlines have updated the privacy terms of their apps and official websites. Haier and Huawei have already hired special teams to deal with the new regulations.