The internet has changed the way we do things, from communication to how we carry out daily tasks. We pay bills, share documents, send emails, and even buy stuff from online stores without giving it much thought.

But hey, have you stopped for a second to think about the amount of personal information you have shared on the internet, and where that data goes? The contact information, addresses, banking details, IP address, social media posts, and the websites you visit – all these data is stored online.

Often, companies request this information in the name of providing better customer service and experience and more targeted and relevant communication. But the question is, is that all there is regarding the use of your personal details?  

In May 2018, the European Parliament and Council agreed that the General Data Protection Regulation (GDPR) would be the primary law regulating how businesses protect user’s private information. GDPR’s enforcement was meant to change the way companies collect, store, and use client information.

The law aims at creating more consistent data protection of personal and consumer info across the EU. Some of the basic data and privacy protection requirements of GDPR include:

• Offering data breach notification
• Requesting consumer consent for data processing
• Anonymizing stored data for privacy protection
• Safe handling of data transfers across borders
• Companies to hire a data protection expert to be in charge of GDPR compliance

The goal of the GDPR is to enforce an equal data security law on all members of the EU, so that no state has to write its own data protection law and that the regulations cut across the whole EU. Other than EU members, any company that markets solutions to EU residents, regardless of its location, needs to abide by the GDPR. So, it is safe to say that the law has influenced the global requirements for data protection this past year.

But other countries didn’t just sit at the sidelines as the EU implemented the GDPR. California, for example, signed the California Consumer Privacy Act (CCPA) in 2018 too. The law came post-EU’s GDPR, and some consider it as a smaller version of the GDPR. CCPA is the most comprehensive privacy law in the US, aimed at businesses that gather and/or sell personal data. The law is meant to give the state’s citizens more control over their personal information.

Thanks to the new data protection rules introduced by CCPA, Californian consumers will be able to:

• Know the “who, what and why” surrounding their private data
• Request the company to delete their personal data from its database
• Instruct the company not to sell their personal data to third parties

GDPR and CCPA

Although CCPA is usually termed as “California’s Mini GDPR,” it isn’t similar to the GDPR. The two are different in several ways, including how they define personal information. According to CCPA, personal data is anything that relates to, identifies, describes, or can be linked to or could reasonably be associated directly or indirectly to a specific household or consumer. The CCPA includes almost all interactions in the digital space, placing companies under greater compliance obligations. As it is, CCPA compliance will be easier for companies that are already implementing GDPR, though it still needs serious effort.

More than one year has passed since the inception of GDPR - what are the law’s tangible effects today?

Statistics gathered from 10 EU countries reveal that a year after GDPR was enforced, consumers are continuing to practice their rights to data protection by filing complaints to their national DPAs. According to an EU Commission infographic on GDPR compliance, 95,180 complaints have been made so far by people who believe their rights under the law have been violated. Most of these claims surrounded promotional emails, telemarketing, and video surveillance. The infographic further revealed that DPAs have issued three fines under the law and that 23 EU member states have embraced the country’s legislation to ensure compliance with the GDPR.

Despite the government’s effort to enhance user protection, only 29% of EU organizations were GDPR compliant as of December 2018. Another study revealed that 1 in 4 companies was yet to start making their business GDPR compliant, and 53% were on the implementation phase several months after the set deadline had passed.