As the GDPR transforms from a distant vision to a fast approaching reality it is easy to get swamped in preparation and neglect some of the details of the GDPR. There is so much that the GDPR is that we find it necessary to point out what it is not.
GDPR is not the EU-US Privacy Shield:
Transferring information between the United States and the European Union requires that the EU be satisfied with the privacy laws that the U.S. has in place. Sounds simple enough; however, it is not that simple for the U.S. The transfer of data between the U.S. as a whole is stunted because the EU has deemed that our laws are not strict enough to ensure the protection of EU citizen data. This is where the Privacy Shield swoops in to save the day. The Privacy Shield allows U.S. companies to prove that their individual privacy measures are adequate and thus allows for the transfer of EU data.
The difference: Privacy Shield is voluntary; however once publicly undertaken companies are bound to comply. The GDPR is NOT optional for companies who fall under the entities required to comply.
The point: complying with the Privacy Shield will help your company comply with the GDPR; however, it does not guarantee compliance.
GDPR is not the Safe Harbor
To be honest, the safe harbor is no longer the Safe Harbor. What the Safe Harbor was, was a set of “principles” that sought to ensure the safe transfer of EU data, all while maintaining the all important open transport of data and commerce with the U.S. There were seven principles:
- Onward Transfer
- Data Integrity
The Safe Harbor came to an end and the U.S. found itself under more stringent data transport regulation. The safe harbor demise was due, in part, to the 3rd party access to personal data by the U.S. government. The outlaw was an attempt to limit U.S. government access to the data of EU citizens, which was permitted by the Safe Harbor to be transported from the EU.
The difference: The GDPR, which essentially replaced Safe Harbor, is a stricter standard of protection for EU citizens. The GDPR requires companies to comply, regardless if they have a base in an EU region. Notably, the U.S. was not included in a group of other countries deemed to have “adequate protection”, which would have lessened the restrictions mandated by the GDPR.
The point: The GDPR goes into effect 25 May 2018, and the regulations are centered widely around consent. The Safe Harbor is essentially obsolete, and companies should comply with the GDPR in order to avoid high penalties and fines.
The GDPR is not Cookie Consent:
Cookies are a very popular, very small file that is downloaded to user devices once they visit a website. Cookies also serve a wide array of purposes and come in 3 specific forms: Session, permanent, and third-party.
The difference: Under the GDPR certain Cookies are considered personal information because they can be used to uniquely identify individuals. Site owners must now get consent. Currently in the EU, websites have to comply with EU cookie law, which mandates that websites get consent from users to store or retrieve their information. Not all cookies fall under this mandate; however cookies that involve survey and chat tools, analytics and advertising functions all fall under the consent mandate.