Feb 28, 2018
Europe's new data protection regulations -- known as GDPR or General Data Protection Regulations -- will be here shortly -- May 28, 2018 to be exact. If you aren’t familiar with GDPR, here’s a brief overview to get you up-to-speed.
The crux of these regulations include but aren’t limited to:
Consolidation of many European countries’ individual laws around data protection
Protection of European users' data
Allowing users to review, access, edit, and request removal of personal data
If an organization - either in Europe, the US or anywhere else in the world - is non-compliant with these regulations, it can result in a fine of up to €20 million or 4% of global revenue (whichever is higher). These are meant to be significant penalties to incentivize companies to meet these regulations.
U.S. based companies that embody the following qualifiers will in fact find themselves in the scope of these regulations and therefore must change several procedures to remain compliant. The qualifiers are:
Multinational companies doing business in Europe
Marketing to and then collecting data of a European citizen while they are in Europe
Note - This does not apply to European citizens who search for and find content or sites specifically targeted at non-Europeans
Having a European country top level domain (.de, .fr, co.uk, etc)
Accepting European currencies
If your company falls within the scope of these regulations, there are basic yet essential steps that must be taken immediately. (Note - this is not an exhaustive list.)
Find all your data on your users, even if stored with 3rd-party providers and document where this data is stored.
Change your signup processes to ensure you are providing users with information about how the data they provide will be stored, how it will be used, and how long you'll keep record of it. You must gain consent from the user in an active and affirmative way to use their data moving forward.
Make your site SSL encrypted and ensure all data provided by the user is secured over SSL communications.
Encrypt your data at rest on the server and any backups.
Do not email personal data (even if in the form of an Excel file or similar) to anyone, ever. The passing of information in this manner can result in data loss. Companies must ensure all internal staff is aware that this casual distribution of info may result in non-compliance.
Provide a process for site users to request an accounting of all data related to the user, as well as the ability to edit or request removal of all data
When storing data with 3rd party providers, ensure they have processes in place to support all of the above
Additionally, internal IT teams should follow these recommendations as well:
For some organizations, the role of Data Protection Officer (DPO) will need to be created and filled. This person will be responsible for the protection of all user data within the organization.
Invest in software that can identify risks, breaches, and data loss.
Work on internal processes for securing data, handling data, and providing access to that data.
We’ve been fielding lots of questions from clients on this topic including:
Who should I tap to help with my data storage?
For many of our clients, collecting data via their website introduces new concerns around storage of this data. Genuine recommends using providers who acknowledge the concerns around GDPR and can provide documentation and processes that ensure the protection of visitor data.
Will these rules ever change?
While GDPR is a huge undertaking for Europe and the companies that market themselves to Europeans, this is the first “trial and error” phase meaning it’s possible we'll see changes to the process of meeting many of these regulations over the next few years.
Will it come to the U.S.? With breaches like Equifax, expectations are that there would be an appetite for this kind of legislation. That said, there is very little sustained anger over these kinds of breaches among Americans. Without a political groundswell to demand a change in legislation, our lawmakers will most likely not prioritize it.
If you’re wondering how GDPR should be informing your Technology, Strategy and Marketing team roadmaps, please do not hesitate to reach out.
-- Mike Norman, SVP Technology @ Genuine