International Affairs

General Data Protection Regulation (GDPR): What it means for you as a consumer


Over the past few weeks, you may have noticed an increase in e-mails regarding privacy policy changes from companies who have your information. Many businesses may have asked you to actively opt-in to remain on their mailing lists. This is a result of the implementation of what has been described as one of the strictest data protection laws in the world, the EU’s General Data Protection Regulation (GDPR). It comes into force on May 25th, 2018. But what does this mean for you as a consumer?

Benefits of GDPR

GDPR places a lot of emphasis on transparency and consent. The regulation aims to tighten controls around data protection and hold companies accountable at a time when many of them are profiting from our data. Here are some of the ways GDPR will benefit you as a consumer:

(i) Explicit ‘opt-in’ consent – Companies will need to explicitly ask users for consent to process their data. It will no longer suffice to have this information within the Terms & Conditions, for example. The consent will need to be obtained through clear affirmative action, such as a separate tick box.

(ii) Privacy Policy – You will have access to the company’s privacy policy at the time when you provide your personal information. This will need to include how long the company will store your data, who the information will be shared with, and the purposes for processing.

(iii) Right of data access – You have the right to to request a copy of all of the processed data that a company has on you, and they have a month to comply. Facebook is already making progress towards this; you are able to download all of your information off of your profile now through Settings > Your Facebook Information > Download Your Information.

(iv) The right to be forgotten – You will be able to request to have you information erased if you no longer want your data processed. There are exceptions to this, including when the information is a matter of public interest or when it concerns the right of freedom of expression for example. In general however, a company is required to delete any data they have on a user without delay.

Who does the law apply to?

Any business within the European Union, and any business that has any dealings with EU citizens even if that business is not based in the EU will need to make arrangements to accommodate GDPR. Mark Zuckerberg has said that Facebook will be complying with GDPR – the company will be aiming to implement its principles globally where possible.

There are heavy penalties for companies who do not comply with GDPR – they may be fined up to 4% of their annual worldwide turnover.

In conclusion

This will create significant hassle for companies in the short term as they scramble to implement this very new legislation that has not been practically applied yet. There will also be a considerable cost involved – Financial Times reported that Fortune 500 companies will be spending a combined $7.8bn to ensure compliance.

Further, some websites may not be available in the EU right away (or at all). Trying to access certain US websites from within the EU currently yields this message:


The legislation may be difficult and expensive to implement for companies, and we may not have access to some websites, but that’s a sacrifice I’m willing to make as a consumer. We just went through the Cambridge Analytica/ Facebook scandal and it left many people rightfully concerned with how their private data is used. A legislation like this is timely and will give consumers comfort in knowing that their data is appropriately protected.

Share this post: