Online activities generate data that can be collected, stored, and shared. Shopping online, interacting with social media, installing mobile apps – all these actions leave a trail of data. Depending on the consumer’s location, these practices have remained largely unregulated – until now.
Starting May 25th, all businesses that engage with European citizens must adhere to new data privacy practices in Europe. The General Data Protection Regulation (GDPR) will replace the European Union’s previous data directive governing consumer data collection, storage, and usage, and aims to give consumers more protection and greater control over their personal data. One misconception about the GDPR is that it only impacts the 28 European Union countries. The regulation’s reach extends not only to European countries but also to countries outside the EU hoping to transact with European consumers.
Consumers will have more confidence in the privacy of their data. Brands must provide additional safeguards and processes to protect their consumers.
So, what’s the big deal?
Under the GDPR, potentially crippling fines – up to €20 million or 4% of global revenues, depending on what’s greater – will be levied against businesses that fail to comply with the new law. While all companies are vulnerable, those with poor data-protection practices or those that incur data breaches due to their own negligence are particularly exposed.
The GDPR will have sweeping implications around the world, and Europe isn’t the only geography bolstering data protection laws. Canada and Australia are in the process of revamping their privacy rules, too, with other countries following suit. More than two-thirds of US companies believe the new laws will force them to rethink their strategies in Europe – and 85% expect European companies will be better equipped to address the regulations and, as a result, will wield a competitive advantage.
A consumer bill of rights
Think of the GDPR as a kind of consumer bill of rights governing data use. Under it, consumers have a variety of rights:
- They must be able to access their personal data, know what is being collected and used by companies, and why.
- Consumers “own” their information. Data accumulated on a consumer cannot be sold to third parties.
- Companies must protect an individual’s IP address or cookie data with the same rigor as a name, address, and Social Security number.
- Consumers have the right to request that their data be transferred to another business.
- They may demand that any personal data be erased at any time from companies and third-parties.
- Companies must create new systems that put privacy first – not as an afterthought. Companies will be allowed to collect, store, and process information only if it is verifiable necessary.
- Mandatory data breach notifications must be sent to individuals within 72 hours, including any event that risks the rights and freedoms of individuals.
As the GDPR creates inescapable global implications, most companies around the world are reworking their privacy policies and implementing consent practices. According to a PwC survey, 77% of U.S., companies plan to allocate $1 million or more on readiness and compliance efforts – with 68% saying they will invest between $1 million and $10 million and 9% expecting to spend over $10 million on GDPR compliance.
With draconian fines a real possibility, this investment looks almost economical. And, keep in mind, fines are only part of the potential damage done by failure to comply. Loss of consumer trust and loyalty can be even more devastating even for companies that do not need to be GDPR compliant. According to a survey by OnePoll, “86.55 percent of 2,000 respondents stated that they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details.”
With the May deadline looming, the GDPR will soon affect many global businesses. Even if a company doesn’t engage directly with European citizens, data protection reforms are on the rise in many countries.
More information about the requirements and the impact of GDPR can be found by visiting EUGDPR.org. There’s videos, links to articles, FAQs, and more. Get to know your data – what’s being collected, how it’s being used, where it’s retained. In the case of the GDPR, ignorance is anything but bliss.
Elastic Path has developed business user-friendly tools that enable you to configure, manage and enforce your data policies. To learn how we can help, visit Putting you on the Path: Data Privacy, the GDPR, and Elastic Path