When the EU launched General Data Protection Regulation (GDPR) laws in 2016, it gave digital companies plenty of time to comply. The laws went into effect in 2018 and by last year, the EU had fined over a dozen companies millions of dollars for failure to adhere to its regulations.
The EU wasn’t alone in handing out fines. Last year, the Federal Government fined Anthem Inc. $48.2 million for breaking HIPAA laws in 2018, a record-setting settlement for a data protection violation. Amid these penalties, California, New York and Washington have been drafting newer data protection laws.
In light of that information, below is an outlook of how data protection has changed in the past couple of years.
SSL Encryption is Compulsory
SSL encryption is no longer a choice. Every online business is required to protect their customers’ data through Secure Socket Layer Encryption. In some industries like health, finance, online gambling and social media, companies can face hefty fines for not encrypting user data.
For small businesses and blogs, SSL encryption is a choice, but one they’re highly recommended to accept. It helps keep people’s data safe while they surf the web. The best part: securing a website with SSL isn’t expensive. Many web hosting providing offer HTTPS encryption as a free service or as an affordable add-on.
That said, the consequences of not securing a website with SSL in 2021 can be catastrophic. For starters, most browsers, including Google Chrome and Firefox advise their customers not to visit unsecured websites. What’s more, HTTP websites are constant targets by hackers, meaning your client’s data can easily get breached.
Watchdogs Mean Business
Data protection watchdogs no longer plead with companies to protect their customers’ data. They don’t even issue warnings. If an organization commits a major data breach, they step in, investigate and penalize the company instantly.
The amounts of fines companies need to pay vary. As we mentioned, health insurance brand Anthem Inc. now holds the record for the biggest fine for violating data protection laws in the US. It was initially fined $16 million for breaking HIPAA laws in 2018 but the penalties have since increased to $48.2 million.
In Europe, breaking GDPR laws come with a fine of up to €20 million or 4% of a company’s annual income, whichever is bigger. In Britain, the data protection agency, ICO, recently fined British Airways $28 million (£20M) for violating the data of about 400,000 people.
Against that backdrop, no company wants to violate data protection laws in any country these days. That’s why they keep updating their privacy policies, encrypting their websites and equipping their employees with VPN subscriptions. Virtual Private Networks anonymize connections and encrypt your data. This way, they help keep of hackers and other unauthorized users.
Consent must be Voluntary
In the days before GDPR, consent simply meant agreeing to the general terms and conditions of a website. You had the choice of reading a company’s terms and conditions or not. But immediately you ticked the ‘I agree’ option, companies had the right to use their data according to their will.
Those days are gone and for the better. In 2021, the laws about consent are stricter. Companies need clear consent forms with information about the data they want to collect. It’s also not a compulsory option although businesses have a right not to work with you if you disagree with their data collection policies.
That’s why nearly every website these days has a form asking you to agree to data collection. If you’re not ready to accept data collection, you can hide the form or leave the website. This way, you only agree to these terms fully aware of what you’re getting yourself into.
Data Erasure
This is a relatively new update to data collection laws. It became popular after the introduction of GDRP. Now, nearly every country with data privacy policies also gives consumers the right to ask for their data back. Crucially, you can also ask a company to stop collecting your data.
This provides clarity on what to do when you stop transacting with a company. Let’s say you want to end your relationship with your current ISP provider. The client had been collecting your data, including personal and financial information for over five years.
With the new CCPA laws in California, GDRP in Europe and UK GDPR in the UK, you can put an end to data collection. And you can ask your ISP to erase your data. Most companies have a time frame for collecting your data, though. They could take up to a year before the finally erase it.
Parent Consent where Minors are Involved
It’s no secret children as young as two years use digital devices. To protect them against exploitation, many data protection oversights have special requirements for companies. They can’t collect a child’s data without their parents’ consent.
For GDPR, the law applies if the minors are below 16 years. In California, parents come into play if the children are under 13 years. If they are between 13 and 16 years, websites can ask for consent directly from the young Internet users.
Special Data Handling Protocols
Due to the growing concerns about data protection, many oversight authorities now require large companies to have strict data handling procedures. The GDPR, in particular, mandates companies that employ over 250 people and handle the data of 5000+ people to have an officer mandated with data handling.
California, Nevada, Maine and Utah, all which have data protection laws similar to GDRP, don’t obligate companies to nominate a data handler. But for many companies, it’s a necessary measure. It’s not unusual for employees to participate in data breaches. A special protocol helps prevent such issues.
Summary
The data protection space has changed in the last past five years. There’s increased legislation, especially in Europe, the UK and the US. The new laws are incredibly strict, often giving consumers unfettered rights over how their data is handled. Failure to comply with these laws is expensive and can cost a business millions of dollars in fines.
