You may have noticed a deluge of “Terms of Service” emails flooding your inbox these past couple months. Just about every company that has your email, from Google to pet food stores, sent out one of these emails to prepare for the European Union’s new sweeping internet privacy rules that took effect in May 2018.
You may be asking, “Why are Americans receiving notices for a law enacted in Europe, and why do I care?” If you are one of the 13 percent of American businesses that also operate in Europe, complying with the new GDPR law might mean the difference between sinking or swimming.
What Is GDPR?
The General Data Protection Regulation (also known as GDPR) was enacted by the European Union Parliament in 2016 but only took effect in May 2018. The GDPR serves to strengthen the individual rights of the consumer in the EU. Individuals can now demand that companies reveal or delete the individual’s personal data held by the companies.
What makes this law different, however, is that now regulators operate under one jurisdiction instead of multiple jurisdictions within the EU. Plus, the law targets companies that may not have a physical presence in the EU but target their business towards EU citizens. Companies also now face an enormous fine of €20 million or four percent of a company’s global turnover. For Facebook, a severe violation could cost them as much as $1.6 billion in fines!
GDPR is both burdensome for businesses and freeing for consumers. EU citizens will see fewer invasive and targeted ads, companies will be more transparent with citizens’ data, and citizens cannot be locked into any service. Companies must make it possible for users to download their personal data and move it to another service—think switching your Pandora playlists to Spotify and vice versa.
The End of the “Grand Bargain”
One of the internet’s grand bargains has been the idea that one could exchange their personal data for free or subsidized content. Think of how you can use most of Google’s services for free, like Google Search or Drive, but they sell the data you generate to various digital advertising companies.
GDPR threatens to end this grand bargain of the internet. While all these new protections are good for the consumer, there are also some concerns that it could stifle innovation and put an unnecessary burden on businesses due to the excessive bureaucracy. If you are a business in the United States, it might be time to take a look at GDPR and what it means for you.
How GDPR Affects Business Interactions
After laying out both the good and bad of GDPR, what does it all mean for your business and brand? It means you have to be a lot more careful with people's data if your business stretches into the EU. Nearly 91 percent of American businesses lack awareness surrounding the details of GDPR, and nearly as many don’t understand what the ramifications are for their business.
The good news is that nearly no one is ready for the GDPR, so don’t feel bad about not knowing what you’re supposed to do. Regardless of the positives or negatives of the law, here are six important aspects of how the law will affect your business and brand in the EU:
- You Need to Limit Data Collection
The simplest way to comply with the GDPR is to avoid taking unnecessary data from EU citizens. Even taking something as simple as an email requires several layers of consent as well as a specific, plain-language explanation of what the email will be used for. The less data you collect from EU citizens, the less need for justifying every use of personal data.
There are two important exceptions to the GDPR when collecting personal data from consumers: contractual necessity and legitimate interest. Contractual necessity is when a delivery service needs to know your home address in order to deliver you food. Without that information, the delivery service cannot fulfill its contract with you. Legitimate interest is a bit more vague but, generally, dictates that the interests of the business cannot outweigh the interests of the individual.
- Privacy by Design
This is the idea that when you design a data collecting system, you create it with privacy in mind instead of it being an afterthought. It’s the same principle as preventative medicine; stopping an infection before it happens is easier than combating it after it has happened. Whenever you create a new data collection system, always include end-to-end encryption so you can prevent large-scale data breaches and comply with any future laws like GDPR.
- You May Need to Appoint a Data Protection Officer (DPO)
The GDPR requires that any business that is a public authority, handles large-scale data monitoring, or works with medical or criminal conviction data will need to hire a DPO. The DPO will be responsible for representing the business and making sure that everyone complies with the new law. The good news is that this can be an existing employee, but they will need to be trained.
- It May Be Expensive
An average business will have to cover the expenses of not only a Data Protection Officer but also the cost of audits, certifications, staff trainings, and compliance infrastructure through the IT department. Sounds like a lot? It may cost an average EU business over $1 million in order to implement GDPR.
- New Business Models Based Off Old Media
Much of what has made digital marketing effective has been its ability to create specific profiles on internet users across the internet. For example, Amazon’s Alexa can make recommendations based off data passively acquired from purchases and other sites.
Under GDPR, such types of applications are rife with privacy issues, so new business models may need to replace old tracking models. Subscription-based paywalls with generalized advertisements like those in online magazines and newspapers may be the innovative answer to the downfall of targeted advertising.
- Managing Vendor Relationships
One of the single biggest issues businesses will have to face with vendors is joint liability. The previous EU law only gave data liability to the controller (the authority that determines the purpose and means of processing personal data).
Now the data controller and processors, such as email marketing companies, hold liability to protect individual data privacy under GDPR. Three questions to ask your prospective vendors include:
- How do your products/services help me practice data protection by design?
- What is your GDPR compliance strategy?
- How will your sales and service agreements reflect GDPR compliance?
The Big Question
A major question many digital privacy advocates seem to blow over is whether people truly value their digital privacy that much. While being tracked across the internet and shown advertisements that match your data profile is a bit creepy to most, the alternative is for the service. To illustrate this point, a recent George Mason University Law School survey found that 85 percent of all Google users would be unwilling to pay for any privacy services offered by Google.
If people are not particularly interested in this type of protective legislation, then is it worth bringing to the United States? Similar laws may already be up for debate in the U.S., but most believe that would be catastrophic to our digital economy. Technologies like the blockchain could theoretically not exist under the current GDPR legislation because the design of the system means personal data is inaccessible.
The creation of laws like GDPR is an example of how the internet market is maturing. Whether or not these types of laws are enacted in the United States, it is critical to your expansive market success that you understand the do’s and don'ts of EU privacy laws.