The Irish Times view on GDPR: bigger than Beyoncé

The new EU data legislation will give people significant new protections

With companies like Facebook and Microsoft pledging to offer GDPR-level protections to all worldwide customers, the signs are that GDPR will function as a long-needed, if imperfect, global redress to what has been a data-grab free for all. Photograph:  Nicolas Asfouri/AFP/Getty Images
With companies like Facebook and Microsoft pledging to offer GDPR-level protections to all worldwide customers, the signs are that GDPR will function as a long-needed, if imperfect, global redress to what has been a data-grab free for all. Photograph: Nicolas Asfouri/AFP/Getty Images

The General Data Protection Regulation (GDPR), which comes into effect today, is hands down the best-known piece of legislation to come out of the European Union in years. By the start of this week, Google searches on GDPR had surpassed those for Beyoncé.

No doubt that’s in part because of all the GDPR marketing consent emails popping up in everyone’s inbox. But those emails are just advance outriders for one small element of this sweeping privacy and data protection regulation.

The GDPR gives the data of anyone in the EU, citizen or visitor, significant new protections. People now have clearly specified rights to data protection, especially for sensitive data pertaining to "physical, physiological, genetic, mental, economic, cultural or social identity". Children's data – in Ireland, anyone under 16 – has extra protections.

All of us now have the right to ask organisations to reveal the data held about us, and they must be far more transparent in how and why they are gathering that data in the first place.

READ MORE

To comply with meeting these new individual rights, organisations face stringent new obligations on collecting, utilising and protecting data. In particular, data breaches must be reported to data protection authorities within 72 hours, and individual victims must also be notified if the breach could cause them personal damage.

Organisations worldwide can be fined up to €20 million, or 4 per cent of annual worldwide turnover, whichever is the greater. This is a critical element. Past data protection legislation lacked such mind-focusing punishments.

And that is why the international business world is paying attention, especially US technology companies. For some with high turnover but little profit, a fine could wipe them out. It will take time to iron out exactly how GDPR will operate in real-world application. But with companies such as Facebook and Microsoft pledging to offer GDPR-level protections to all worldwide customers, the signs are that GDPR will function as a long-needed, if imperfect, global redress to what has been a data-grab free-for-all.