You may have noticed that many of your phone apps have sent notices lately updating your privacy terms.
This cascade is not a coincidence. You can thank the European Union’s General Data Protection Regulations (GDPR), a wide-ranging set of internet privacy regulations which went into effect late last month.
The European Union, incrementally less laissez faire in its capitalism than the United States, has been a leader in cracking down on entities such as Google for privacy concerns.
The GDPR is a comprehensive set of standards regulating online data security, with massive penalties for corporate noncompliance. Companies must demonstrate that they are properly encrypting and anonymizing personal data; ensure confidentiality, integrity and resilience of their platforms, and have consistent processes for testing technical and organizational measures ensuring security and privacy.
How will the GDPR affect U.S. companies? Bryce Austin, president of TCE Strategy, a Twin Cities based cybersecurity expert and author of “Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives,” points to several key issues:
1. Purging E.U. data
The GDPR requires companies to purge European Union (E.U.) data from their systems upon request. While this sounds easy, it isn’t. Companies will be forced to catalog all the data they have and track it much more closely, along with keeping tighter reins on who has access to it. While companies should be doing this already, many aren’t.
2. Marketing campaigns must be opt-in based
For example, if a user downloads a free white paper from a website, any checkboxes that allow for future marketing materials to be sent to that user cannot be checked by default. The GDPR’s language here is very explicit: consent must be obtained from citizens in a way that is “freely given, specific, informed, and unambiguous.”
3. Targeted campaigns
Companies that may market products or services to E.U. citizens will need to be very careful on how “targeted” their marketing campaigns are. For example, if a website is translated into an E.U. specific language, such as Greek, there is an argument to be made that the website is targeting E.U. customers, and as such, falls under GDPR rules.
Breaches must be disclosed within 72 hours. The Equifax breach was disclosed 40 days after it was discovered. The GDPR requires three days. As a result, a detailed and tested breach response plan is a minimum requirement.
These regulations seem benign. But they will complicate the operations of online marketing companies (including Facebook and Google) that have become accustomed to perfunctory constraints on how they could share and monetize the personal information of users.
The first 25 years of the Web reflected a Wild West culture. The founders of the major social network platforms naively proclaimed that greatly reduced privacy was a small price to pay for free access to their new world.
But lurking in the background was the aphorism “if you are not paying for it, you are the product.” Giving up privacy to vendors attempting to leverage it for commercial advantage, using powerful Big Data tools, is becoming increasingly controversial, and likely to be regulated and controlled by societies representing their citizens.
Even though the E.U. has no regulatory power in the United States, the GDPR will likely have a major effect here, for several reasons:
1. It will take years of legislating, lobbying and compromising for Congress to pass comprehensive privacy legislation with teeth to it.
2. Because the internet is by nature global, companies blocking the use of noncompliant apps in E.U. countries would be inefficient and impractical, hindering the “viral” spread of popular apps and memes.
3. GDPR implementation is based on ISO 27001. ISO, the International Standards Organization, is already an accepted global standard for certifying consistency of processes in manufacturing and services.
Historically, legal and process structures catch up with technology revolutions sooner than later. Consider the history of automobile regulations. When cars first showed up on streets at the turn of the 20th century, there were no rules at all — there weren’t enough cars to require close control. Over the next hundred years, decade by decade, incremental process regulation was put in place. The volume of traffic required it, as a car went from a novelty to society’s key mode of transportation.
We are watching the same pattern with the internet today.
Isaac Cheifetz is an executive search consultant focused on leadership roles in analytics and digital transformation. Go to catalytic1.com to read past columns or to contact him.