It’s rather like the effects of smoking, or slouching, or eating too much sugar. You know you shouldn’t do it. You know it’s bad for you. But there are so many other things that can kill you first, right? When you spend so much time chasing customers and crafting marketing campaigns to attract and retain them, what’s a little laxity with your data policy going to cost? Quite a lot, actually.
The GDPR (General Data Protection Regulation) is that deadly threat that most companies know about but somehow always seemed so far away. But today’s the day, and companies that do any kind of business with EU citizens had better get compliant – or get their checkbooks ready.
What Are the GDPR Changes Again?
There are volumes of information you can read on this, starting with its official site, but briefly, the GDPR aims to protect EU citizens from data breaches and safeguard their privacy. This theoretically means that no more incidents like Cambridge Analytica will happen again (or if they did, they would be heavily penalized).
Yet the purpose of the GDPR isn’t to cripple businesses; it’s to create a clear and consistent framework for them to work in.
Here are a few of the aims of the GDPR:
- Give citizens more control over their personal data
- Have clear data rules to provide a framework for companies in the EU
- Levy hefty penalties for non-compliance and data misuse
Data Rights for Citizens
If you reside in the EU, you’re probably tired of the steady flow of emails from companies begging you to opt in to their newsletters, spam offers, and updates. It’s rather like poetic justice and a somehow delightful feeling to know that you finally have some power back in your hands. Especially when you never realized that you’d opted in to weekly mail blasts in the first place.
The GDPR ensures that consumers give their “clear and affirmative consent” when it comes to how their data is processed. They have the right to know how it will be used and why and who will receive it. They also have the right to be “forgotten”, meaning that their information can be deleted upon request, or transferred to another service provider. Companies must also inform consumers if their data has been hacked.
It’s a noble move on the part of the EU to protect its citizens. However, the likelihood is that, in the end, they’ll get so tired of clicking through acceptance policies that they’ll stop reading them anyway. Just as ICO investing should probably come with some sort of a disclosure, but you probably wouldn’t read it anyway – though you couldn’t say you weren’t warned.
In a statement released yesterday, Vĕra Jourová, the EU’s Commissioner for Justice, Consumers and Gender Equality, said that “personal data is the gold of the 21st century,” but we are too freely giving it away, particularly online:
When it comes to personal data today, people are naked in an aquarium. Data protection is a fundamental right in the EU. The new rules will put the Europeans back in control of their data.
If You’re Not in the EU, It Still Applies to You
You don’t have to be based in the EU for the GDPR to apply. Just think about Facebook, Twitter, or any tech company with far-reaching audiences. Any company doing business with the EU needs to get with the program – and fast.
Fail to produce the right information or treat your EU customers’ data with care, and you can expect a warning or a fine of up to 4 percent of yearly turnover. Writing up a new privacy policy page on your website isn’t enough to be considered GDPR compliant.
Moreover, with the GDPR, the EU is looking to set a global standard and ensure citizens’ fundamental rights. And if it proves successful, it may be considered by other countries, including the US. There is even a new set of rules for data processing when it comes to law enforcement.
It’s Not Too Late to Act
Until the EU really tightens the narrative and companies begin to catch up, you still have time to get your company GDPR compliant, but don’t waste another moment. There will be no mercy for the company that suffers a cyber attack compromising consumer data that they should never have had in the first place. That kind of happening could see companies go out of business fast.
Yet, despite the timetable of two years to get complaint (and years of preamble before it), many companies fail to understand the implications. And it seems that very few companies are actually 100 percent GDPR compliant today, especially smaller businesses which may assume that the GDPR doesn’t affect them.
In fact, according to a report by The Verge, virtually no one is fully GDPR compliant, including the regulators. Moreover, at least 60 percent of tech companies are not GDPR compliant.
Furthermore, many companies confuse GDPR compliance with security, yet cybercriminals are becoming more adept each day at stealing personal data.
The Takeaway
Even after getting GDPR compliant, companies will need to perform continued security and compliance assessments to ensure that the data they’re fighting so hard to protect doesn’t end up in the wrong hands.