Consumers on both sides of the Atlantic have been concerned for decades about the uses—and possible misuses—of the personal data they give to businesses. Among those concerns are the ways and extent to which those companies are free to sell or swap that information with third parties. Said differently, should companies have the right to sell their users' personal data without getting those users' consent, and what role should government play in regulating such information exchange?
The General Data Protection Regulation (GDPR)
Those concerns prompted the United Kingdom in 1998 to pass its Data Protection Act, which provided consumers in the UK with limited protections against such potential abuses of their personal information. In the intervening years, however, and as technology advanced and new threats emerged, the UK in concert with member states of the European Union, decided to revisit the issue.
The result was passage of far more sweeping legislation, the General Data Protection Regulation (GDPR), which went into effect in May of 2016. Among other things, GDPR gives consumers more control over uses of their personal information than the previous legislation. That includes:
- the right to give active consent to any use of that information;
- the right to limit that use;
- the right to be "forgotten";
- the right to have their data portable; and
- the right to seek damages in the event their personal information is misused or breached
Beyond extending these rights to consumers, GDPR assesses substantially heftier fines for any business which is non-compliant with GDPR regulations. Finally (and importantly), GDPR's regulations and attendant fines extend to any U.S.-based multinational company which does business in the European Union.
Half of Businesses Are Not Prepared for GDPR
The deadline for achieving compliance with GDPR regulations is May 25, 2018. Given the stiff fines associated with GDPR, one would think the lion's share of businesses in the U.S. and the EU had already taken the necessary steps to ensure compliance. That, however, is not the case, according to Information Week:
"If you're in a U.S.-based multinational enterprise doing business in the EU, you're aware that the European (GDPR) deadline is May 25, 2018. You may also be painfully aware that you are not ready for the impending change. Gartner recently predicted that only 50% of companies impacted by the tough regulation will be compliant by the end of 2018. Non-compliant companies will face hefty fines of up to €20 million or 4 percent of global annual revenue, whichever is greater. Non-EU companies will be a particular target of these higher fines."
How Can U.S. Businesses Best Prepare for GDPR?
Effectively preparing for the new legislation might initially appear an overwhelming challenge. Any business affected by GDPR should nevertheless take all the steps necessary, both to do the right thing for users of their sites, and to avoid potentially game-changing fines.
Martin James, Regional Vice President for Northern Europe at DataStax, counts among his responsibilities that company's overall strategy for marketing and sales performance. Prior to assuming his role at DataStax, James held a variety of positions related to data, analytics marketing and in cloud sectors. Writing for Information Week, James recommends that businesses take the following 4 steps to ensure GDPR compliance:
1. Learn the Difference between Controllers and Processors
GDPR contains multiple, and sometimes nuanced, legal definitions which impact the ways in which companies will be treated by its regulations, and what will constitute non-compliance. One of these entails the distinction between "controllers" and "processors," both of which can are liable for maintaining users' rights under the legislation.
Simply stated, controllers establish the rules by which data is processed, while processors follow those rules. For example, if company A launches an email marketing campaign, that company creates rules for the ways in which subscribers' personal information is collected and used. In this instance, company A is a controller. If company A hires company B to run its email marketing campaign (and, by extension, use those rules), company B is the "processor."
A given enterprise can be a controller, a processor, or both. Similarly, a company can engage multiple processors. The important point is for businesses to clearly understand which role they serve, and to learn what specific responsibilities they have in assuming that role.
2. Complete a Compliance Audit
Within the legal context of GDPR, it's critically important to understand what customer data (and what kinds of data) your business holds, the reasons you possess that information, where in your system it resides, how long you have it, and finally what processes are in place for deleting it. This is sometimes referred to as a compliance audit.
There are several ways to conduct an audit. For example, you could partner with a reputable database solutions provider who can help you navigate the process. Alternately, you could hire or appoint someone who has the requisite legal and IT skills to serve as an internal data protection officer.
3. Identify Your Lead Supervisory Authority
Because many multinational companies work in multiple EU member states, they faced a potentially daunting patchwork quilt of individual implementations of GDPR. For this reason, the negotiation process which produced GDPR included a one-stop-shop process which prescribed that affected companies would work with a primary data regulator, the lead supervisory authority.
Generally, this will be in the EU member state where the company's central administration is located, but it's important to work with both your legal team and experts in GDPR processes to properly identify your supervisory authority. You will also need to identify someone in your business who will serve as principal liaison with the supervisory authority.
4. Create Clear Consent Protocols for Your Customers
Since customer consent is at the heart of GDPR, it's important for you to establish processes and policies which inform that consent. How, said differently, will your customers give consent, and communicate the types of consent they give?
Will they, for example, complete surveys, checking off applicable opt-in boxes? To ensure compliance, the protocols you establish must demonstrate that consent is valid (that is, freely given without coercion, undue incentives or penalties for refusal). Generally, consent should also be explicit rather than implicit.
For many companies, implementation of policies and procedures that ensure GDPR compliance will seem both burdensome and unnecessary. There are, however, upsides to implementation which extend beyond the avoidance of fines. Effectively complying with GDPR, for example, can mean enhanced data efficiency, improved data protection and, perhaps most importantly, the establishment of enhanced trust and credibility with your customers. For all these reasons, it's important that your business, if it hasn't already done so, take the steps necessary to ensure compliance as soon as possible.