The EU’s General Data Protection Regulation (GDPR) is now in effect, and according to many estimates, a huge number of companies are now in breach.
In case you’ve somehow not received a torrent of emails about companies updating their privacy policies, GDPR is a set of new rules concerning the storage and sharing of personal information for citizens of the European Union.
It affects any company that stores information on such citizens.
Some of the key provisions include: the requirement that all privacy options be set to maximum by default; that personal information is not shared without explicit consent; that companies give complete disclosure about what data is being collected and why; the right of citizens to access the personal data a company has on them; and the right to have that personal data be deleted if a citizen asks it to be.
For businesses that operate in the EU, the maximum fine for a privacy breach is 20 million euros (approx. AUD $31 million) or 4 per cent of a company's annual global turnover, whichever is greater.
For Australian companies that have information on EU citizens, it goes far further than the mandatory Notifiable Data Breach requirements announced in Australia in February.
Indeed, under GDPR, Australia is not included in the small list of countries that currently have adequate privacy laws, and EU companies will have to ensure that any Australian firms they do business with have GDPR compliance before they can transfer data to them.
Given how comfortable companies have become with hoovering up our personal data, it’s probably not surprising that most surveys on GDPR readiness put the number of businesses not in compliance at ‘high’.
A survey of IT security decision makers in Australia, the US and the UK by security firm Webroot revealed that just 9% of Australian companies and 42% of global companies feel they are GDPR compliant.
A survey by US compliance and security firm Alert Logic put the global number at just 7%.
Meanwhile, a report by ISACA (formerly known as the Information Systems Audit and Control Association) was a little more generous, putting the number of global companies that expect to be in compliance at 29%.
What the big five are doing
Each of the 'big five' social media companies – Apple, Facebook, Google, Microsoft and Twitter – has taken its own actions regarding GDPR.
Facebook has just updated it privacy rules globally to be more in line with GDPR requirements.
At the same time, however, Reuters reported in April that Facebook was also moving 1.5 billion user account details out of its data centre in Dublin to put them out of the reach of GDPR rules.
Facebook chief executive Mark Zuckerberg has publicly hedged on GDPR and said that Facebook would comply globally “in spirit,” but he would not commit to it being a global standard.
Apple has introduced a new privacy portal globally that allows an Apple ID owner to download all the data that Apple has on them, as well as deactivate and delete accounts.
It also allows you to correct any data that Apple may have on you.
Microsoft has likewise released a new set of privacy tools and enabled them for users globally.
It has added additional controls in the Microsoft Account privacy dashboard as well as added a lot more clarity to its privacy statement about what data it collects and what it uses it for.
The new controls allow users to view and clear the data Microsoft attaches to their account, including browsing and search history, location history, product usage and media activity.
Google has modestly updated its privacy tools, with a new information page and slightly more granularity in the privacy controls.
Google had already allowed users to view, download and delete their personal data.
Finally, Twitter updated its terms of service and privacy policy last month ahead of the GDPR deadline, and says it is committed to letting users view how their private information is being used.
It order to comply with GDPR, it has also disabled Twitter for Roku, Android TV and Xbox.