Even if it's tempting to ignore them, here's why these emails matter to you: While any regulation is subject to interpretation and nothing is guaranteed, the overall shift is in favor of the consumer and protecting everyone's personal data—regardless of the type of technology a company is using to process the data or how it is stored.
The European GDPR (General Data Privacy Regulation), which became effective globally on May 25, is an attempt to protect the privacy of individuals, especially following incidents of data breaches, and from having their data sold to other parties. "We've also taken steps to improve our Privacy Checkup and other controls we provide to safeguard your data and protect your privacy," Google said in its email.
The European Union's Parliament approved GDPR on April 14, 2016. Companies were given two years to prepare for the regulatory change.
"Data services providers like Experian have been preparing for GDPR by assessing their internal operations to review their intake, use, and processing of data to ensure they can comply with GDPR's requirements," Jay Stocki, Senior VP Of Strategy at Experian said in a blog post last month.
The law applies to companies who are based in the EU or those which work with customers who are in the EU, which pretty much covers every major Internet company, such as Google and Facebook, as well as international hotel chains like Marriott. Now companies can only collect data for users who have given their consent.
What Does This Mean For You?
Here are a few key components of GDPR for consumers to know:
- Consumers will now have more control over the personal data they give out.
- Companies must encrypt their data for security and if they do have a data breach, it must be reported to authorities within 72 hours. Individuals must also be notified if the breach "is likely to result in a high risk to the rights and freedoms of individuals" as well.
- Individuals can also pursue civil actions such as class-action lawsuits against the organizations if they suffer "material or non-material damage" as a result of a breach.
What You Should Do
Although the responsibility for complying with GDPR lies with the organization or companies who do business in the EU, here are a few steps to take so you can stay on top of things:
1. Go Over the Details
2. Review Your Account Information
Check out what personal information is being stored in your account. You can remove anything that's not necessary for the company to have (maybe they have a credit card you previously stored that you do not use very often) or address information that isn't required for this particular account. While some companies need specific information, many do not.
For example, your Social Security number is not really something most companies need or should have (unless it's related to something legal, financial, or your employment). You can always decline to provide extra personal data and then inquire as to why it's necessary.
3. Review Your Emails
Consumers often sign up with companies for information such as blogs or other data or with retailers to obtain discounts. This is a good opportunity to clean out your inbox and see which companies you are still interested in staying connected with. If you're no longer engaging with them, you may want to opt out to keep more emails from flooding your inbox and keep your personal data out of additional hands.
If you do not think you signed up with the company, avoid clicking on their emails because phishing scams remain prevalent. Phishing is when fraudsters send emails which mimic a trustworthy source such as credit card company, financial institution or retailer. Unsuspecting consumers mistakenly open the email and click on the links, allowing the malware to be activated. (See: What to Do If You Are Infected With Malware)
What Is Personal Data?
Personal data is any information that can identify a person. Some of the most common types include the following:
- Name and surname
- Home address
- Email address
- Identification card number such as Social Security number
- Location data (for example the location data function on a mobile phone)
- Internet Protocol (IP) address
- Cookie ID
- Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
What Other Data Breach Regulations Are Being Put in Place?
In 2018, there have been 228 data breaches reported, according to the Identity Theft Resource Center. Fraudsters are always devising new ways to get and sell your personal information on the dark web.
There are additional efforts happening here in the U.S. to help protect consumers as well. Michael Bruemmer, VP of consumer protection for Experian, explains: "While GDPR is a major change for the EU in terms of new regulation, the U.S. is also updating laws for privacy and security at the State and Federal level."
Examples include the SEC guidelines from this past February that require improved reporting for data breaches and the New York Department of Financial Services' 72-hour deadline to disclose breaches, which was enacted in August 2017. "It remains to be seen how many other jurisdictions will continue to shorten the notification deadlines to both regulators and consumers in an effort for improved accountability and consumer protection," Bruemmer adds.
Also according to NPR, California may have a big new initiative on the ballot in November which could impact how companies do things throughout the U.S. As currently proposed, the California Consumer Privacy Act of 2018 would mean that businesses would need a "clear and conspicuous" link on their website's homepage titled "Do Not Sell My Personal Information," which takes users to a page where they can opt out of having their data sold or shared.
What Should You Do After a Data Breach?
If you are a part of a data breach, you'll need to take certain steps depending on what information is included in the breach. Read more here to learn what to do after a data breach.
It's also a good idea to review your credit card and bank statements carefully each month for anything you don't recognize. Most banks and credit cards also have the option to create alerts via text and/or email to notify you of large purchases so you can flag anything early on. In addition, regularly check your credit report for any identity theft red flags.
Fraudsters often remain one step ahead of financial institutions and card issuers as new schemes to get personally identifiable information (PII) are created frequently.
Learn more here on Experian.com about other new scams and what to do if your credit card or debit card is involved in a data breach.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.
This article was originally published on June 1, 2018, and has been updated.