5 ways GDPR will change your world
On May 25, a new law called the General Data Protection Regulation (GDPR) is going into effect in the European Union. The law was created to protect EU citizens from potential abuses, like the recent Cambridge Analytica scandal. Though the timing may seem coincidental, this law has been in the works for more than four years. GDPR will replace the Data Protection Directive (95/46/EC) of 1995.
Under GDPR, companies can be fined up to 4% of their worldwide annual revenue from the previous financial year. This is a staggeringly large penalty. A violation could cost Facebook, for instance, up to $1.6 bln. The number would be much greater for companies such as Google and Amazon.
When GDPR takes effect, you’ll be able to ask companies what information they have about you and then (if you want) ask them to delete that information. This applies to all companies, including tech companies, banks, retail sites, and even your boss. Anyone who suspects a company is misusing his or her data can file a complaint with the national data protection regulator, who will investigate the claim. You’ll also be able to file class-action-style complaints. GDPR also requires that businesses allow users to download their data and move it to a competitor (think moving from Wells Fargo to Chase, or Apple Music to Spotify). either an internal employee or outside advisor).
Ensure you have a system set up to detect, report, and investigate data breaches.
These suggestions are just a starting point. For a detailed, helpful guide toward becoming GDPR compliant, review this PDF on ICO.uk. (The ICO is the Information Commissioner’s Office, the United Kingdom’s representative in the European Union’s Article 29 Working Party.)
Depending on your field of work, you may be impacted by GDPR more than others may be. For instance, email marketing now requires proof of opt-in. You can no longer pre-check boxes to automatically sign members up for newsletters, or have a box to opt out; instead, you’ll be able to collect and use email addresses only if members opt in. You must also have proof of opt-in (as defined in the regulations). If you have an existing mailing list, there are several options you could take to ensure compliance:
Delete the entire list and begin anew. (Easy, but not very practical.)
Attempt to separate EU members from non-EU members. (Could be difficult, and includes a risk that if you miss any EU members, you could face a fine.)
Ahead of May 25, email your list and have everyone on the list re-opt-in. (Best option.)
As
companies update
their
privacy
policies,
they’re notifying their users via email. Look through your inbox; you’ve likely gotten several dozen over the past few weeks.
GDPR gives you the ability to control how businesses interact with you and handle your data. But there’s a bit of a catch: you need to read the notices and take control of your data.
Do you want to be tracked? Do you want to be forgotten? Do you want to download your data? GDPR is giving you the option to control the way advertisers interact with you, but it requires that you do some work. It’s easy to archive, delete, or altogether ignore these emails, but you should take the time to read them. A key component of GDPR says that companies must tell you, in plain English (not “legalese”), that you have options when it comes to your data.
In order to make those decisions, you need to read those emails and decide: Do I care about this? You can complain about retargeted ads following you around the internet after you looked at that pair of shoes one time, but that type of ad will stop only if you take action.
The data governance pendulum has swung to the far side. GDPR is going to be extremely hard to comply with. Especially for American businesses that do only a small amount of business in the European Union. No one really knows how the European Union will enforce GDPR, who the GDPR police are, or how draconian they are going to be. This will reveal itself in the fullness of time.
For now, consumers should take advantage of the right to be forgotten, the right to control their data and their privacy.
For businesses, it’s time to get your data governance in order. The good news is that the internet is a big place, and you would need to be in extreme violation to even show up on the GDPR radar. The bad news is that if you do, the fines are insane.
As a consultant, I think I know what accountants feel like on April 14th. BTW, May 25th is also Towel Day. So the answer to GDPR may be “42.”