If you’ve got an email address, chances are you will have heard about Europe’s new General Data Protection Regulation.
Indeed, it’s hard not to view the rules, or GDPR, as “a law created to fill your inbox with identikit warnings from every company you have ever interacted with online”, says The Guardian.
As well as annoying email users the UK, however, the new legislation is “set to force sweeping changes in everything from technology to advertising, and medicine to banking”, the newspaper reports.
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
So who will be affected, and how?
What is GDPR?
GDPR “will bring outdated personal data laws across the EU up to speed with an increasingly digital era”, says Wired.
From Friday 25 May, the new regulation will “alter how businesses and public sector organisations can handle the information of their customers”, the magazine explains. GDPR replaces the 1995 Data Protection Directive and boosts the rights of individuals, giving them more control over their personal data.
What does it mean for consumers?
EU residents now have the right to request access to review personal information gathered by companies. Individuals - or “data subjects”, in GDPR jargon - can ask to have their data deleted, or revised if it is incorrect, and can also have their information sent to them in a portable form.
“If individuals begin to take advantage of GDPR in large numbers, by withholding consent for certain uses of data, requesting access to their personal information from data brokers, or deleting their information from sites altogether, it could have a seismic effect on the data industry,” says The Guardian.
What does it mean for companies?
A lot of paperwork. Business groups say companies will have to spend £1.2m each, on average, to meet the complex new requirements.
“Many do not currently track their data processing in a way that complies with the new rules,” reports The Sun. And if they have sought consent from customers to collect data, the records are often out of date, or the consents do not meet the GDPR standards.
“Very few companies are going to be 100% compliant on 25 May,” says lawyer Jason Straight, the chief privacy officer at London-based business advisory company UnitedLex, told The Verge. “Companies, especially US companies, are definitely scrambling here in the last month to get themselves ready.”
However, Paul Jordan, the Europe managing director of the International Association of Privacy Professionals (IAPP), offered words of comfort, saying: “I think it’s quite clear that a number of companies won’t be ready [for GDPR], but if they can demonstrate they have been planning appropriately [then regulators will give them] a certain leeway.”
Are all those emails necessary?
Maybe not, according to Toni Vitale, the head of regulation, data and information at law firm Winckworth Sherwood. Vitale told The Guardian that “if the business had consent to communicate with you before GDPR, that consent probably carries over”.
And if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you for that consent, Vitale adds.
“In many cases, the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email,” he said.
Continue reading for free
We hope you're enjoying The Week's refreshingly open-minded journalism.
Subscribed to The Week? Register your account with the same email as your subscription.