Have you been waking up to a bunch of emails from businesses that you don’t remember giving your details to, and who are notifying you of updates to their terms and conditions? Or, like me, did you just log in to your Facebook to be walked through a range of new opt-out features like facial recognition?
The General Data Protection Regulation (GDPR) changes that were rolled out at the end of May this year are the most significant regulatory changes made to Internet policy since the 1990’s, and with Google and Facebook slammed with $9.3 billion in fines on the first day of these laws going live, they aren’t here to pull punches. But despite this, the lead up has been understated, to say the least.
If you’re wondering what it all means, and more specifically whether this is something that affects your business, you’re not alone.
In this post, we’re going to run through exactly what the GDPR is, which industries are affected and how they can prepare, and the short to long term impacts of the changes being rolled out.
1. WHAT IS THE GDPR
May 25th 2018 marked the first day of enforcement for the General Data Protection Regulation, a sweeping body of changes that were adopted by the European Parliament way back in April 2016 to replace the dusty, old data protection directive of 1995. As you can imagine, a lot has changed since the metallic-toned dial-up days of the 90’s. I mean we’re talking about a time when the U.S spent around $100 billion preparing for the “doomsday bug” of Y2K.
Well the Internet looks pretty different now. Not only is it everywhere, it is also expected to function at lightspeed. Minutes of screechy waiting no more. Nowadays if your website takes longer than 3 seconds to load, you can expect to lose up to 53% of your prospective visitors. Yep, we’re an impatient bunch.
So I’ll cut to the point. Given the multi-national aspect of the Internet, what kind of European e-police are out there to back up these new rules?
GDPR is enforced by a special body inside the EU, that was created by the government, and they have been given the mandate to impose fines of up to 4% of a company’s global turn-over, or $20 million – whichever is larger. Of course, the extent to which these fines can actually be enforced is debatable. However, you can be sure that if a company fails to comply, it won’t go unnoticed.
But if you’re thinking that your business doesn’t have an office in a European country so you’re off scot-free then think again. Theoretically these new rules only apply to the data of European citizens, but the everywhere-ness of the Internet means that if you’re online, you’re at risk.
Accordingly, this has seen companies everywhere scrambling to conform at the last minute – hence the wave of emails and notification.
The basic tenets of the GDPR are that:
- The requirements for obtaining personal data are higher, and it can be stored for “no longer than is necessary for the purposes for which the personal data are processed”
- Users need to explicitly give consent or opt in
- Users must have a way to opt out of this consent, and they have the right to request all information that a company has on them
- Users have the right to be forgotten
And all of these have to be addressed within a 72-hour window of being reported.
2. WHO SHOULD BE WORRIED?
Well, as we touched on earlier, everyone with a digital footprint should definitely be aware of the changes. But that doesn’t mean that there aren’t those who are more at-risk than others.
The GDPR’s primary goal is to protect personal data across a number of fields such as:
- Basic identity information such as name and ID number
- Web data such as IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial and ethnic data
- Political views
- Sexual orientation
Pretty broad stuff, right? No wonder 52% of companies believe that they will be fined for non-compliance.
The waters around these changes are murky. Shannon Yakorsky, a lawyer who has been following the GDPR developments at Venable, commented “We just don’t know [the market standard]. There haven’t been any penalties, so we don’t know what enforcement is going to look like”. Just how heavily the e-police are going to rain judgement down upon the average business is completely unknown.
It has been stated that fines will be reserved for those businesses that “persistently, deliberately, or negligently flout the law”, making it seem as though a good faith effort to address breaches may be all that is required. Nonetheless, it’s starting to look like a pretty good idea to put together a few “What if” scenarios for your business. You know, just in case you find yourself looking down the barrel of a 72-hour breach reporting deadline.
So, what are the business requirements for falling under the GDPR’s umbrella?
A company must have:
- A presence in an EU country
- No presence in the EU, but processes the personal data of European residents
- More than 250 employees
- Fewer than 250 employees but its data processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive data
Sound like you? Here are six industries that run a higher than average risk, and a few of the things that they should be aware of.
- Hospitality, tourism & travel
One of the hardest aspects of the GDPR is that the GDPR protections exist for all European residents – regardless of their location. As a result, it should come as no surprise that this industry will be running the risk of slipping into hot water. These organisations, particularly those of a larger scale, regularly share customer information with third-party tools, apps, and businesses for payment and itinerary purposes.
- Financial organisations
There are a few aspects of financial institutions that mark them as being particularly vulnerable to the GDPR requirements. The first being that finance is, generally speaking, quite an international affair, with funds being transferred between and within international accounts. As a result, these companies tend to amass large amounts of Personally Identifiable Information (PII) data that they use to assess the viability of selling various services and the credit worthiness of certain customers. On top of this, the industry is routinely breached, and with the GDPR’s requirement that businesses provide “reasonable protection for customer data” this may pose a problem.
Even if your stores aren’t located in Europe, you can still run into GDPR grief. Paying with credit or debit cards, providing personal addresses for shipping purposes, and even keeping customer PII data as part of your loyalty program could be enough to get you into trouble. It is also worth keeping an eye on whether your business is receiving PII data from payment processors, online marketplaces, Internet search engines, contact management applications, email and messaging services, among others.
An organisation is only permitted to monitor and collect the medical data of users if it is necessary for treatment and diagnosis. And this is only when consent is explicitly given. For any businesses that track biometric data as part of biometric verification processes, or monitor customers’ health and genetic data as part of delivering their service, more explicit data-tracking notifications to customers will be necessary.
- Physical and electronic security
To give an example of how these businesses might find themselves under the microscope, any public or private physical security organisation using CCTV to monitor publicly accessible areas should be concerned. Under the GDPR, large-scale surveillance of the public is a risky business.
- Marketing, advertising and digital media
From a media planning perspective, GDPR shouldn’t cause too big waves in the advertising pool. However, it will definitely limit – or at least redefine – how we are able to access and use data to plan campaigns and strategies. It is therefore essential that professionals in this area be well ahead of the developments in order to ensure that all members of the audience are well-informed about what data is being collected on them, why it is being collected, and how they can opt-out if need be.
Now that we’ve covered the basics of who is at risk, let’s get down to what you can do mitigate your exposure.
3. SHORT TERM IMPACTS
In the simplest terms, simplicity will be key. Pages of nondescript, convoluted lawyer jargon won’t do. Users have to understand, in layman’s terms, what data they are forfeiting, and what this data will be used for.
As data breaches become more costly and what constitutes “personal information” becomes a more fluid paradigm, knowing who your partners are and how they use data will become even more important. As a result, companies might witness massive drop-off rates as businesses try to consolidate and make do with fewer partners.
It might not be a bad idea to ask your customers to re-opt in to any newsletter or mailing lists that you might have. While this will likely result in a dip in readership numbers, it will ensure that you’ve got your bases covered.
Additionally, it has been predicted that businesses whose primary audiences target a more mature demographic (between 45 – 54 years old) are more likely to receive requests for personal data, so should spend more time preparing their processes and responses to ensure they fall within the 72-hour window.
In the immediate future, there are two main areas that organisations need to focus on:
- Restructuring business and IT processes to understand how PII data is used within the company, who it is used by, and where it is stored in the long term.
- Strengthening data security measures.
Dealing with and successfully navigating these changes might look a little something like this:
- Engage a third-party organisation to conduct a thorough audit of your data collection and storage processes, and your GDPR risk level; or if this is not an option
- Undertake a thorough mapping of data flow throughout the organisation
- Conduct a risk assessment for the business
- Create a data protection plan and an incident response plan that takes into account how to report GDPR compliance
- Undertake measures to reduce and prevent exposure
- Thoroughly test data protection plan and incident response plan
- Set up a process for ongoing monitoring and maintenance of data collection and storage
4. LONG TERM IMPACTS
For a long time, data collection has been viewed as an assumed right of businesses – and an invaluable asset for informing their strategies. One of the most significant long-term shifts that will accompany these changes is the transformation of this basic assumption, as businesses will have to adjust to new notions of what “personal information” constitutes. Although this transition period will probably be as comfortable sitting through a kindergarten clarinet symphony, ultimately it will streamline your business by ensuring that everyone is made aware of the ins and outs of how you operate. Ultimately, taking data protection into account when developing a product or strategy will become second nature.
It will also have the benefit of restoring consumer confidence in your business, and successfully adapting to these changes will give you another weapon in your arsenal to prove that you care about more than making profits. It is your chance to show that your customers aren’t just nameless numbers and statistics. Thus far, data collection has been a shifty practice that has taken place in the shadowy parts of website coding. A little bit of e-literacy will ultimately throw a bit of light into these recesses and provide a real chance for consumers to “renegotiate the terms of engagement between people, their data, and the company” says David Carroll, associate professor of media design at The New School.
But who will be hit hardest? The big fish or the little guy?
It depends who you talk to. Some analysts are of the opinion that it is the monopolies that are most likely to be able to swallow the fines without blinking an eye, while a similar infraction might sink a smaller player. On the other hand, as we’ve seen, fines will most likely be reserved as a last resort, and a good faith effort to comply or turn around breaches may be enough. In this case, the more nimble smaller companies may have the upper hand over organisations with much more complex data flows.
5. SO BASICALLY…
Getting used to these big changes is going to be an itchy process for a while, especially while we have so little information about how these cases are going to be enforced. But just because we don’t have a clear picture doesn’t mean that we can’t be thoroughly prepared. There is also a good chance that these laws will become the international norm, so sitting around and saying that these are Europe’s problem is probably a bit short sighted.
The 72-hour turnaround window that is expected of companies is a particularly steep ask when you consider that the organisation has to both fight off the breach on one hand while simultaneously dealing with the GDPR request on the other.
After all, we’ve all heard the old “by failing to prepare, you’re preparing to fail” mantra…
GDPR is a burden that is shared by data processors and data controllers equally, and the best course of action is to make sure that you are aware of how data flows through your business and what protocols are in place for its storage and safekeeping. Only then can you begin to formulate your “What if…” scenarios.
No one likes having the rug pulled from under their feet, but here at [Haimat] we are excited about the opportunities that this gives companies who are willing to face these changes front on and take advantage of the opportunities that they present!
If you have any questions, or you are unsure of whether your business will be affected, use the comments below to get in touch!