On May 25, the General Data Protection Regulation (GDPR) will go into effect in the European Union, but its implications will reach far beyond the borders of the 28 member states of the EU.
US businesses need to know the regulation, understand how it can impact their business operations so they can protect against the legal consequences and sizable fines for non-compliance. Now more than ever, US companies must be sure that data security, including the data that is shared in communication channels, is secure and compliant.
The General Data Protection Regulation replaces the 1995 Data Protection Directive, adopted when the internet was just getting started. GDPR was adopted in 2016, but it gave the member states of the EU two years to fully implement its provisions, which brings us to today. According to the official site of the GDPR, the regulation was designed “…to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy,” but in our connected world, data has no regional borders.
The fundamental principle of the regulation is the right to privacy and protection of EU citizens by giving them right to anonymity in the data that they share with businesses and enterprises. To ensure this, GDPR put the onus on businesses to obtain consumer consent, which must be “freely given, specific, informed, and unambiguous.”
Specific instances of GDPR regulations include explicitly stating what online information about citizens is being sourced and the purpose for collection. This includes opt-in options for all online sourcing of personal information, or Personally Identifiable Information (PII) as it is known in the US. If consumers do not agree with how the data is used, there must be an option to opt-out of sharing information. This is where GDPR crosses borders.
Any personal data that is sourced from citizens currently residing in the EU must comply with the GDPR. Therefore, businesses that retain such data and/or behavioral information, even if it doesn’t leave the EU will still be subject to GDPR regulations.
For example, say a US-based retailer is running a campaign in Germany that requires the user to submit their email address. The retailer would 1) have to explain how their email address will be used, and 2) ask the user for their permission to use their email (no link to an attached Terms and Conditions document or default check mark in the box is allowed). Once the US retailer gets permission to use their email address, the retailer would have to appoint a representative in the EU to be responsible for following GDPR in their collection and processing of that data in the Cloud.
GDPR gives the consumers much overdue and entitled power to control their own data security, but what about data shared in internal company communications?
Customer data, including that of people who fall under the protection of GDPR, is often shared within companies via channels like email, and increasingly on business messengers like Microsoft Teams, Atlassian’s Stride, Slack, and others. Most of these tools do not protect EU citizens data with end-to-end encryption.
Collaboration is the primary selling point for such solutions and teams often share documents using these platforms which can also be connected to other external platforms like Google Docs.
If the documents shared contain personal data, those platforms must also comply with GDPR.
Going forward, US companies will need to not only get permission to collect and process customer data, but also get permission to make that personal data available to any tools they use internally for collaboration.
The exception to the rule is when the chosen internal communication and collaboration tool secures all data with end-to-end encryption as the service provider does not then get access to any customer data.
We’ve talked about the Increased Territorial Scope of GDPR and Consent, but there are many other regulations which could greatly impact companies who do not comply that are worth noting:
- Penalties: there is a tiered approach to fines under GDPR based on the seriousness of the infringement, capping out with fines up to 4% of annual growth or €20 million, whichever is greater.
- Breach notification: Businesses and data processors will be required to notify all member states within 72 hours of awareness of the breach.
- Right to access: Consumers, or data subjects, have the right to confirm if their personal data is being processed and they can ask the data controller for a copy of the personal data, free of charge.
- Right to be forgotten (or data erasure): Data subjects have the right to have their data erased, and they can ask for their data not to be disseminated and potentially have third parties halt processing of their data.
- Data portability: Data subjects can have their data sent to them or even transmitted to another data controller.
- Privacy by design: This regulation calls for the inclusion of data protection from the onset systems design, rather than an addition.
Every US business targeting European markets must become fluent in GDPR regulations and that business knowledge needs to extend beyond the high-level stakeholders to each employee, as they are the greatest risk of non-compliance.
Many individuals will be at risk for breaching their company’s data and must know and understand the newly updated policies put in place by the EU, or face potential lawsuits, multi-million-dollar fines, and lost consumer trust.
GDPR will be the foundation for well-regulated data sourcing, collection and behavioral information of internet residents throughout the world. In the future, we will look back at the regulations put in place by the EU and commend the effort and integrity of those who preserved and fought to sustain the security of all globally connected citizens.