The implications of General Data Protection Regulation on businesses
Adrienne Wallace, a digital strategist at BlackTruck Media + Marketing, contributed to this post.
Cambridge Analytica and the great Facebook debacle of 2017-18 sure has been an eye-opener for many people and companies, especially those who happen to click through long documents like “Terms of Service” agreements and the like to rush to install an app or just can’t wait to find out “What Harry Potter character are you?” Just what did you agree to anyway?
All joking aside, we have officially “learned the hard way” that what we share online can be used for illegal or unethical purposes. The mining of personal info of more than 50 million users has been deemed the “tip of the iceberg” when it comes to violations of our “privacy” and the parading of Mark Zuckerberg in front of Congress proves not only do most of our elected officials not understand how the internet, apps, and privacy work (it seems that is a bipartisan deficiency), but that we have a lot at stake when vetoing our right to privacy.
Enter the GDPR, or General Data Protection Regulation, which was voted into existence and approved by the European Union Parliament in April 2016 (but doesn’t officially become an enforced policy until May of this year), which threatens to levy heavy fines on those who are not in compliance. Since the internet is not just a local or national thing — it’s a global network — the EUGDPR becomes the new standard for many international organizations. The EUGDPR was designed to protect and empower all EU citizens’ data privacy and to “reshape the way organizations across the region approach data privacy” (EU 2016/679). The implications are significant. In short: The EUGDPR protects anyone who does business within the borders of the EU or does business with EU data subjects — and that is pretty much everyone in a digital world.
So, what does this mean for your West Michigan company? Quite a bit. While you might not think you have a lot of interaction with folks in the EU, chances are pretty good that you have done one or more of the following things:
- Experienced any online traffic with an EU resident
- Collected consumer-identifying data, in any capacity, of an EU resident
- Conducted any type of business with an EU data subject
- Targeted with online ads any EU data subject (intentionally or not)
So, what are you supposed to do about it? Well, we aren’t lawyers, but here are some areas where you could probably improve your standing with the GDPR:
1. Regain data retention controls: Google Analytics announced an update to products that regulate management of data control and shelf life of data that is held on the Google servers. Even though the United States is not located in the European Economic Area, the GDPR policy impacts European internet activity, and thus many software programs and applications that we use in the U.S.; therefore, this policy impacts us in West Michigan.
What you should do: Check your internal governance policies and practices, terms of service for all data collection, processors and controllers that you might use or administer (all with your legal team). Make these in compliance with GDPR. Here’s what Google is doing, for example.
2. Create a proper process: Creating a proper protocol and process to handle GDPR compliance standards will be helpful in avoiding fines and stalling projects or sucking up staff time. Appoint a committee or a project manager to help any EU data subject expedite data removal.
What you should check: Simplify user agreements or other terms to the standards that are GDPR specific (yes, even if you are a U.S.-based company). Think about reducing the amount of data you collect. What is really necessary or even being used for your business? Every unnecessary point is a potential hazard for your company with regard to compliance. (Ask for your attorney’s help here).
4. Be proactive: Whether you know the law or are ignorant of the law, the penalty still is the same: Roughly 4 percent of your annual revenue, or 20 million euros (that’s $24,657,720.00 U.S.) whatever is greater — per violation!
What you should check: Be sure the vendors you are working with are keen on the law, and what the ramifications could be if your contractors are not well-versed in, or are ignorant of, the current situation. Working with your legal team and your vendors can save you a ton of money and legal woes.
In the end, we mustn't view the General Data Protection Regulation as a huge negative to conducting commerce online. Instead, this should encourage you to be open about the data you are collecting, provide individuals with that level of detail and take all the steps needed to conduct business online in an honest fashion.
Please consult your legal team to develop your individualized plan regarding GDPR.