This week, the European Union got all the votes it needed to implement the updated General Data Protection Regulations (GDPR) in 28 member countries. The original set of rules were written back in 1995, which is like 2,000 years ago in internet years. Think about it; the old rules were written before Facebook, before geolocation chips in our cell phones, and long before we started offering up our heart rate via a FitBit.
It took the Union four long years to create a set of rules that everyone could agree on and yesterday, they all did.
What does this mean for you? That depends on where you are and with whom you do business.
Can I Have My Data Back?
The main function of the GDPR is to give consumers living in Europe more control over their personal data. This includes the right to “be forgotten” by any company or platform that no longer needs the data. In other words, if I was living in Paris, and I was over Facebook, I could ask to have all of my data erased. That doesn’t mean just shutting down my public-facing profile page. Erased means everything – all of the data pertaining to me that Facebook has gathered in the past ten or more years. Every conversation. Every post. Every data point that was used to convince advertisers to pay for a Facebook ad – gone from the servers.
If that wasn’t difficult enough, the rules also require companies to make personal data portable. Not only do I want you to erase me from your system, but I want you to deliver all of that data to me in a gift wrapped package that I can hand to your competitor. For example, I want to shut down my Yahoo email account and move my entire history of emails, replies, and contacts over to Gmail.
I don’t know if that would be easy or hard for a company to do, but it’s annoying and time consuming. It’s also going to make it easier for consumers to cut the ties and move when they’re unhappy. Not good news for companies who are on top because switching is too much of a pain.
What’s tricky, is that the language is the best it can be for a first run at this. There are bound to be disagreements about what constitutes company owned data vs. consumer owned data. Does Cox own the list of TV shows on my DVR or do I? I made the list, but I made it using their data pool. Does my browser history belong to Firefox or to me? It’s one of the data points law enforcement agents often use to build a case against a suspect, so ownership matters.
The Data Police
Under the new rules, companies in Europe will be required to be forthcoming and transparent in regard to personal data usage. Not only will they have to regularly communicate with the people they serve, they’ll have to open themselves up to audits by the regulating bodies.
Companies that deal with a significant amount of data will be required to have a dedicated data security officer. In the case of a data breach, companies will have to notify their customers within 72 hours.
If a company doesn’t follow the rules, they’ll face a fine of up to 4% of their global revenue from the previous year or the European equivalent of around 22 million dollars. Yes folks, the European Union isn’t kidding around.
Right now you’re thinking, my company is based in the United States, so we’re in the clear. You’re not. If you do business with customers or other companies in Europe, the new rules apply to you as well. And since it doesn’t make sense to have two levels of data compliance, you might as well implement the higher standard for all of your customers, including those here in the US.
The good news is that you have two years to put a plan in place before the European data police come around.
If your company doesn’t conduct business outside of the US, you should still consider overhauling your current data handling procedures to match the more stringent standards. IBM says that the cost of an average data breach is $3.9 million dollars and then there’s the damage it does to your reputation.
Take consumer data security seriously now, because the penalties and rules are only going to get tougher from now on.