An Article By, David Tan, Chief Technology Officer
If you didn’t know it was coming and weren’t fully aware of the impact and implications of the new rules that went into effect at the end of May, you were probably overwhelmed by the sheer volume of emails you got from every company you ever did business with electronically, outlining their new policies and procedures around the protection of your data. That onslaught was basically every major company in the world scurrying to comply with a new set of rules and regulations known as GDPR. While all the large companies we deal with were very clearly affected, there is ample reason why you need to know about, understand, and potentially plan for these rules regardless of the size and location of your business. Hopefully this article will help you understand exactly why.
In case you aren’t familiar, GDPR stands for General Data Protection Regulation and it’s a set of rules that regulate the collection, protection and use of personal data for all citizens of the EU. It was actually first agreed to back in 2012 but took years to get ironed out, formalized and implemented, which officially happened on May 25th of this year. Before we talk about why you should care about rules governing the personal data of EU citizens, (we’ll get there, I promise), I think it’ important to understand exactly what it is.
The European Commission wanted to update their rules to reflect something that is more fit “for the digital age.” Essentially, GDPR imposes tougher restrictions on how personal data can be collected, utilized, and stored. It gives individuals greater say over what companies are allowed to do with their data, and imposes bigger legal penalties on companies who do not adhere to the regulations. Particularly, the protection and management of data has to be fair and transparent to the individual whose data is being stored. You might be starting to see already just how cumbersome this law might be. What exactly is personal data? The obvious things like health records, financial transactions, and legal records are all covered, but so are things as seemingly innocuous as phone numbers and email addresses. The reach of these regulations is mind-blowing.
Let me give you a funny example to illustrate. I’m a big fan of 80s music. Like any true fan of the 80s, I owned every Police album, and loved the band. A few years back when they toured last, I joined the Police fan club to get access to pre-sales tickets. The day or 2 before GDPR went into effect, I got an email from the Police fan club website informing me of their updated terms and conditions. That’s right, as if Sting doesn’t have enough on his plate, he has to be worried about the protection of my data! OK, so that’s a dramatization, but the facts still hold. If you collect personal data of any sort, and you interact with European citizens, you have to adjust.
What specifically do you need to address? Well first and foremost is the protection of the data, which is a given. You need to make sure your systems are secure and protected, and you have constant monitoring in place to ensure the data you have collected is safe, and the second it isn’t you need to be able to act on it. But it’s so much more than that. You have to be completely transparent. In other words, I have the right to know exactly what data The Police (the band of course, this might not have been the best example) have stored of mine and how they use it. Plus, at my request, they have to be able to delete all traces of it. This is not nearly as simple as it sounds. It’s not easy to wipe out all history and data you have on a person. Let’s say you’re in financial services – do you need to wipe out every record of every transaction? Every email? Every account detail? You might – these are things that are going to be figured out by legal interpretations in the courts in the very near future, but the risk of cumbersome economic penalties is forcing companies to err on the side of extreme caution.
OK, so why should you care? You own a small business in the U.S. and don’t ever do business in Europe. First off, the laws aren’t exactly black and white as far as who is protected. Depending on your interpretation, either all citizens of the EU are protected (regardless of where they live), or all people doing business from the EU (regardless of citizenship) with companies anywhere in the world. Confused yet? That ambiguity means you might be responsible for these laws just because your customer takes a 2-week trip to France and buys something from your website.
There’s another reason however. This is just the beginning. These laws – or something very similar – will make their way to the U.S. sooner rather than later. Data privacy and protection is a huge hot-button topic everywhere, and it’s absolutely inevitable that America follows suit. Whether it be at a federal level, or even state levels – you can see the beginning of this with the New York Department of Financial Services regulations. Don’t wait until the day before these rules go into effect in your backyard to think about it. I’m telling you, in the next 1-2 years, you will see and hear about something similar that most definitely impacts your business, not just something that could be interpreted that way. Plus, this is just good business practice. It’s critical to protect the data you have collected on your customers. Be a good citizen in today’s digital age and take that responsibility seriously.