It's been a long time coming, but the European Union's General Data Protection Regulation is finally law in the world's second largest economic market.
It's been clear from the outset that almost no one outside the E.U.--consumers and businesses alike--can predict just how the GDPR may impact them. We won't know for some time what its real-world impacts will be. In fact, E.U. members are not even in total agreement about what the GDPR will mean for them. At least for the foreseeable future, think of this as a work in progress.
That said, there are some easy lifts here.
What is the GDPR?
The GDPR is a sweeping pro-consumer regulation that grants significant privacy rights to citizens of the European Union.
Among the key elements:
- Personal data collection requires both consent and pseudonymization.
- Data breaches are required to be disclosed within 72 hours (with some exceptions).
- Citizens have the right to access their personal data and information collected on them, as well as the right to correct any inaccuracies.
- Citizens also have the right to have their personal data deleted (within specific limits).
What does it mean for you?
The average brick-and-mortar business--if there are still any that don't collect and store personal information--shouldn't see any repercussions as a result of the new regulations. But understand that this goes for businesses anywhere--not just in the E.U.--and if there are any failures of data protocol or cybersecurity issues, it doesn't matter where the business is based. The GDPR protects E.U. citizens worldwide.
How this affects U.S.-based companies that collect the personal information of a citizen of the E.U. remains to be seen. If data goes walkabout, no matter where in the world it happens, the GDPR, at least in theory, is enforceable. The same goes for any business with an online presence.
Here's something else we can safely forecast: After the initial impact of the GDPR--and the first penalties are meted out to non-compliant entities worldwide--there will be an endless number of GDPR-related shockwaves, and they will keep coming for quite some time.
Overall, the GDPR is a win for consumers. On the business side, it presents a variety of logistical headaches--Microsoft alone has hired more than 300 programmers to ensure compliance--and fiscal nightmares: The possible penalties for non-compliance are 20 million euros or 4 percent of global revenue, whichever is greater.
The timing of the Cambridge Analytica story (breaking months before the GDPR went into effect) suggests Mark Zuckerberg was either very lucky or very smart. Among the GDPR's requirements is one that says any business operating in, or doing business with, citizens of the E.U., must retain an individual or organization to represent it in any interaction with regulators. Additionally, many organizations must also now designate a DPO, or data protection officer.
In addition to the handling of personal data, other components of the GDPR remain ill-defined and vague, which is exasperating C-Suites and boardrooms alike.
For example, consent for the sharing of data can be withdrawn by consumers, in which case businesses have to foot the bill. That would be complex all by itself, but here the concept of consent itself isn't clear; under the regulation, there are "unambiguous" and "explicit" forms of consent, a head scratcher for lawyers and laypersons alike.
How to prepare?
At this point, your inbox has most likely already been crammed to its digital breaking point with emails from organizations of all stripes informing you their privacy policies have been updated. It's a frantic and perhaps ill-advised attempt to telegraph compliance. By and large, it isn't necessary to re-confirm consent with users and customers, provided you can document consent was given in the first place--and that might be the kicker here.
Ultimately, the best preparation for GDPR is to make sure your data is secure and that you have a clear line of communication with your customers regardless of whether or not they're E.U. citizens. Giving consumers control over their data and how it's used should be viewed as a necessity, not a requirement of doing business on the up-and-up.
Is the GDPR a good idea?
The minutiae of the GDPR can and will be debated for a long time to come. Some aspects of the law go too far, some don't quite go far enough, and no one, including business owners, legislators, and private citizens are going to come away from it entirely satisfied, which may be a sign the regulation is as fair as possible.
While many aspects of the GDPR seem Draconian, the bulk of it amounts to common sense regulations for ethical business practices. The lessons of Home Depot, Target, Yahoo, Chipotle, Chili's, Equifax, Anthem, eBay, Sony, and many, many others have shown us that self-regulation, as far as cybersecurity is concerned, simply isn't working.
Adam Levin is the co-founder and chairman of CyberScout.