Europe is making major strides when it is comes to protecting its citizens' personal data. With big data becoming a commodity, even referred to as our next natural resource, one has to assume that our personal information is very much a part of businesses big data play. From your contact information to your search history, your personal data is being bought, sold, and leveraged to increase business' bottom lines. Oftentimes, without you even knowing about it.
The European Union (EU) wants to give its citizens more control over their data. To do this, they passed the General Data Protection Regulation (GDPR). And it is affecting American business more than anticipated. According to an independent survey by Vanson Bourne, 52% of US companies possess data on EU citizens which could make them liable to the new regulations.
What this means is that every company in the world with customers in the EU, employees in the EU, or any company that markets to the EU needs to comply. Consider the following examples. Do you have a web presence in the UK? Do you have an employee or contractor in the UK? Have you ever collected or bought an email that ends with ".uk"? Does your team target ads to countries in Europe? All of these examples and hundreds more prove that businesses must act fast to secure compliance.
The initiative first started in 2012 when the European Commission announced its intentions to launch a data protection reform in order to prepare Europe for the digital age. At this time, I was asked by the British consulate to travel to London to discuss how UK companies can collaborate more effectively with Silicon Valley (and the rest of the US). We met with several companies, including law firms to discuss how we can do a better job of keeping our customers' data safe.
Fast-forward to today. Organizations operating within the EU, as well as organizations operating outside the EU that collect any personally identifiable data of users in the EU, must comply with GDPR rules by May 25th, of this year. Because GDPR adopts a particularly liberal view in terms of what constitutes "personal data" (ranging from users' Social Security numbers to IP addresses to website cookie data), many organizations are impacted. The fines for noncompliance can be painfully high.
GDPR outlines five core changes related to ways in which organizations collect and protect users' personal data. First, organizations must obtain user consent to collect data (under GDPR, pre-checked opt-in boxes are outlawed). If an organization markets directly to consumers, a positive opt-in is required. Second, users are afforded the "right to be forgotten". That is, they can request that all personal data that is collected on them be deleted. Third, users are given the right to transfer their data to other vendors. Fourth, organizations that meet certain criteria are required to appoint a data protection officer (DPO). Finally, organizations must notify users if a security breach has occurred that is likely to "result in a risk to the rights and freedoms of individuals."
Some startups are especially struggling to comply with GDPR. Many have heard the warnings, yet have neglected to act. According to Martech, only 1/3 of startups are GDPR compliant (compared to 70% of enterprises, globally, according to a study conducted by IAPP).
While some forward-thinking startups are ahead of the pack (MailChimp, Amplitude, and Segment have all publicly announced their commitment to GDPR), these are the exception, not the norm. Working at a fast-paced scaling startup, acquiring and marketing to Europe often is the logical next step in growth. As Thomas L. Friedman explained in his best-seller on globalization, The World is Flat, technology has enabled us to go global with just a few keystrokes.
At my current startup, we became international rather quickly and unintentionally, as our product became viral. Since we have high profile clientele, we chose to prioritize privacy and bake in GDPR principles before our first sale. We also leveraged 3rd party solutions like TrustArc, to better navigate the complexity of privacy compliance.
There's no one-size-fits-all strategy for compliance. GDPR compliance is not a fixed point-in-time challenge; it is an ongoing process that will endure for the life of a business. Each startup will need to determine how it is affected by the new regulation. This will depend on its size, as well as the type of personal user data it collects.
The UK's Information Commissioner's Office (ICO) has explained, "You are expected to put into place comprehensive but proportionate governance measures...Ultimately, these measures should minimize the risk of breaches and uphold the protection of personal data." The ICO has outlined a helpful list of 12 steps that all organizations, including startups, should take to prepare for GDPR.
The EU is definitely leading the charge for giving consumers back the controls over their personal data. I think that it is a trend that many other countries will follow in the coming years. Taking the time and resources needed to comply with these regulations will not only allow you to do business appropriately in the UK but will also better lay the foundation for new restriction we can expect to see in the future.