After the recent scandal regarding Facebook’s misuse of private user data, the implementation of the GDPR seems like the answer to the everyday consumer’s prayers. Well, if you’re one of the approximately 510 million citizens of the European Union, that is. But what does this have to do with you and your business, you ask? Probably a lot more than you would realize right off the bat.
Approved April 11, 2016, the General Data Protection Regulation (or GDPR as it’s more commonly known) is a new European regulation written with the individual in mind. It goes into effect on May 25, 2018, and it’s making waves in industries across the world. The entire goal of the GDPR is data transparency; it gives individual citizens of the EU’s countries the authority to know exactly what information about them is being used, where it’s being used, and what it’s being used for. This includes both actual personal data (such as names, birth dates, and addresses) and online identifiers (like IP addresses). These laws apply not only when financial transactions take place, but also in simpler exchanges of information such as marketing surveys.
Gone are the days of forever-long legalese explanations of data collection and usage rights; GDPR stipulates that all requests for information collection, usage, and disclosure be written clearly and concisely, eliminating the possibility of vague or blanket statements. European citizens must be given the option to opt out of data collection for marketing and profiling purposes, and companies must cease these activities as soon as they receive an objection. Any automated decisions based on past behaviors or data collected by any business will be appealable. There is also a provision that requires any serious data breaches be reported to an organization’s supervising authority within 72 hours of it becoming aware of the breach. Ultimately, citizens want to know why their data is being used, and the GDPR ensures that they have the power to find out.
While the most obviously impacted entities are European businesses, anyone who does business in the EU should be paying attention to this important legislation. Any interaction with European consumers demands compliance with these laws in relation to these individuals, regardless of a company’s geographic location, with a few stipulations. Any company that has a targeted market in the EU will need to be in compliance within that market. If someone in Paris, for example, came across a US website made for US consumers with nonspecific, generic marketing and entered personal information, that data would not be protected by the GDPR; however, if the website were in French and referred to EU customers in any way, it would call for GDPR protections. The new regulations only apply to EU citizens actually in the EU at the time the information is collected.
To help companies be compliant with the new laws, the GDPR encourages ‘pseudonymization’, or the manipulation of data so that it can no longer be connected to a specific person without additional data. For example, encryption is an acceptable practice. Because the consumer’s data is encrypted, even in the case of a data breach, the information would be useless without the separate encryption key, yet it retains its usefulness to the host company. Another option is tokenization, which replaces data with non-sensitive ‘tokens’ that have no real value or information.
Rewriting terms of service statements and/or implementing pseudonymization may seem like a headache, especially for small businesses, but the penalties for non-compliance are steep. The fines for failure to comply can be up to 20,000,000 euros (approximately $24,219,960 at time of writing) or 4% of the company’s worldwide annual turnover from the previous financial year. So, stepping up your data privacy game may seem expensive right now, but it might just save your business from going under later.
The GDPR goes into effect May 25, 2018. Are you ready?