In the days leading up to May 25, email inboxes were filled with updated privacy notices and requests for marketing consent. Web browsers saw more banners about “cookies” than they had since broadband became ubiquitous, and businesses began to consider how they were going to comply with the far-reaching regulation – never mind that the drop-dead date for compliance was well announced, covered by global media and discussed at conferences for at least 365 days prior-to.
In the era of Europe’s General Data Protection Regulation (GDPR), any company that handles EU data must comply with the regulations. If found non-compliant, companies are slapped with nasty fines (2%-4% of global revenue) and barred from doing business in the EU until they can prove the issues have been fixed. Not complying is a high stakes game. In fact, some smaller firms, such as UnRoll.me and Verve, shut down their services to European users rather than contend with the anxiety surrounding potential non-compliance. Similarly, prominent media outlets in the United States blocked traffic from the EU altogether on May 26, rather than risk being labelled non-compliant.
Perhaps this was a smart move. Within minutes of the GDPR becoming a reality, advocacy groups and consumer watchdogs began running active challenge campaigns, flooding companies for information requests, testing their metal, and validating their preparedness. To date, complaints have been filed against Google, Facebook, WhatsApp and Instagram, citing that these companies do not offer true “consent”, as users are banned from using the services if they do not agree to non-negotiable terms. Additional complaints were filed against a number of US-based technology companies, including Microsoft and Android, data brokers like Acxiom, and internet providers like Verizon. This barrage signals that privacy hawks are prepared to use the new regulations as a way to force big companies to be better stewards of data.
Big companies can state they are compliant, have a documented process for components of GDPR and appoint a Data Privacy Officer, but odds are their current structure will never allow them to find, identify, and categorize all the data that they have collected over time. As a result, these companies may avoid tangling with GDPR until ‘Dave’ notices his request for information wasn’t complete or finds his PII leaked to the web – outside the window of the mandatory breach notification period – at which time the company will be liable for the fine and open to suit from all affected individuals. GDPR establishes a statute and, soon, a precedent: guilt will be assumed and failure to maintain compliance will result in businesses getting fined and having to defend themselves in court. If fined, brand reputation is also at stake as the public is likely to equate GDPR violations, even from a company that outwardly took measures to be compliant, as a sign that the company does not truly value or respect users’ data.
Regardless of whether they believe they can comply, the GDPR forces companies to examine how they treat data. We know that an individual’s non-public and personally identifiable information is one of their most valuable possessions and consumers prioritize doing business with companies that respect and protect their interest. Because data is also the most valuable possession of a company, it should be a moral imperative for companies to protect the individual assets of each of their customers. After all, the data being collected is only on loan for a specific purpose. And, like any loan, all reasonable precautions must be taken to safeguard the asset and are not transferable. The borrower must inform the lender of what he will be using the loan for and the loan should be returned in full when it is deemed mature. If you tear away all the legalese and nearly 11 years of committees, this is what GDPR is designed for.
Today, the seriousness of GDPR is not up for debate; the regulation may very well drive the next 10 years of IT and make companies better stewards of data, their most valuable resource. Whether we will experience a transformation in how data is managed by big companies remains to be realised, however implementing a long-term path to compliance would undoubtedly have a great effect on how global companies are viewed by advocacy groups, policy makers and, most importantly, their constituents.