In late May, most people are thinking about enjoying a long Memorial Day weekend. But for many entrepreneurs, it means a major change to how they conduct business.
On May 25th of this year, the EU will finally start enforcing the GDPR (General Data Protection Regulation), a set of rules that establishes stricter protections for its citizens' data privacy, and puts in place new guidelines for the collection of consumer data. These regulations apply for any company that processes or stores the personal data of any person residing in the EU, regardless of where the company is located - in other words, it applies just as much to companies based outside of the EU as it does to those that operate within it.
Naturally, those organizations with an international presence (Google, Facebook, Amazon, eBay, etc.) have been scrambling to meet the requirements, creating privacy centers and the like in order to give users more control over their online privacy. But it's important to note that these requirements don't just apply to those incumbents. Any company that offers goods and services to those in the EU or collects any type of identifying data (name, email, IP address, and so on) is subject to the same regulation, and the same consequences. This means that businesses of all sizes, including startups who hope to crack the European market anytime in the next few years, need to be thinking about how to implement GDPR within their organizations.
Now, some companies might try and be blase about the whole thing, and opt to pay the potential fines instead of implementing arduous and complicated measures to comply. That's their right - but they should keep in mind that the penalty for noncompliance is a hefty fine of up to €20 million, or 4% of annual global revenue - whichever number is higher. Needless to say, the cost of flouting the rules far outweighs the benefits, so companies around the globe would do well to heed the requirements that GDPR sets out.
What are those requirements? First and foremost, companies will be required to obtain users' consent to collect their data, and the request for their consent "must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent." The language used must be "clear and plain", and users must be able to withdraw their consent as easily as they can grant it. In addition, companies are required to notify their customers of any data breaches within 72 hours of first noticing the breach.
Most radically, GDPR formally enshrines the "right to be forgotten" into law, a right which gives any citizen of the EU the right to request the removal of their data from a company's database if there is no longer any reason for it to be used by that company, or if a person chooses to withdraw their initial consent. For example, let's say you decide to close down your Twitter account. Under the rules set out by GDPR, Twitter is required to delete any data it has on you should you request it. Naturally, there are limits - you can't ask for information that's in the public interest (ie. anything newsworthy) to be removed, nor can you request the removal of any data relating to freedom of expression.
Under GDPR, EU citizens also have the ability to request a dossier (sounds fancy, I know) of all the information that a given company has on them at no cost, as well as the right to know where their data is being used and for what purpose.
The biggest question facing companies in the US is whether this kind of regulation will catch on across the Atlantic. According to Samir Addamine, CEO of mobile marketing platform FollowAnalytics, GDPR represents the "rare time that the EU is being in advance of the rest of the world." Addamine anticipates that this sort of legislation will make its way to other countries shortly, "especially" the US, simply because that's what people are asking for. Thanks to GDPR, most companies will/should already have the infrastructure in place to respond to any new legislation.
In addition, the rise in the number of data breaches has made cybersecurity a vital issue for businesses and governments alike. As a result, one incentive for implementing stricter laws around the storage of data and the process for reporting hacks would be to limit the amount of damage caused by cyber attacks. In the US, New York State is leading the way, creating new security requirements for financial institutions and helping to ensure that organizations are prepared in the event of an attack.
Ultimately, GDPR is a big deal in two ways: it affects many businesses outside the EU today, and may be a portend of further data protection rules to come. Is your business ready?