The news of the roughly 87 million Facebook users who had their personal data used in ways they may have never explicitly approved or even contemplated has many Americans feeling more uncomfortable than Mark Zuckerberg in a suit and tie. What’s more, the issue puts companies in the spotlight as to how they are securing and using their customers’ data — as with greater consumer awareness comes bigger expectations.
So what lessons can be learned from the Facebook debacle and Zuckerberg’s grilling on Capitol Hill?
A photo that received a lot of attention during Zuckerberg’s testimony showed the Facebook CEO’s notes and talking points, which include the admonition: “Don’t say we already do what GDPR requires.”
Indeed, it was not until April 17 that Facebook declared in a blog post, “Today we’re introducing new privacy experiences for everyone on Facebook as part of the E.U.’s General Data Protection Regulation (GDPR).”
GDPR, which becomes effective May 25, is the most significant development in data protection laws in the past 20 years.
Specifically, GDPR — which contains 99 articles and is more than 200 pages long — is a set of rules established to give E.U. residents more rights and control over their personal data. GDPR requires companies to demonstrate a lawful purpose for any collection and sharing of personal information. GDPR emphasizes transparency and requires businesses to provide individuals with enhanced notices and disclosures of exactly what data is collected, why it is collected and who receives the data. Consent must be “freely given, specific, informed and unambiguous.”
While GDPR has origins in the E.U., it applies to any business worldwide that offers goods or services to E.U. residents. Noncompliance may result in significant financial penalties — as high as 20 million euros or 4 percent of a company’s total revenue.
According to GDPR, personal data of E.U. residents can only be transferred to a country with “adequate” data security. Since the U.S. as a country has not been deemed adequate, Minnesota businesses must look to options such as the E.U.-U.S. Privacy Shield Framework offered by the U.S. Department of Commerce to support the secure collection, storage and processing of any personal data of E.U. residents. Failure to comply may trigger the hefty GDPR penalties.
The good news for many U.S. companies is they started planning for GDPR two years ago when the regulation and effective date were first announced. This preparation included a number of key activities that included the revamping of data protection mechanisms and creation of processes for maintaining adequate data records. The readiness checklist for GDPR also included instituting new policies and practices for notifying individuals of what personal information is collected, with whom it is shared and for what purposes. Beyond these steps, companies had to consider vendor management policies, review data breach/incident reporting programs, as well as risk assessments for privacy compliance and data security. Finally, companies needed to determine how to accomplish the transfer of data of E.U. residents to the U.S. using the Privacy Shield or other legal options.
Still, many organizations have not taken these critical steps. In fact, it is estimated that of the companies that will be subject to GDPR, as many as half will not be ready for the compliance deadline — but it is not too late to begin preparing.
Tech giants like Facebook, Google and businesses whose revenue is based on the collecting and sharing of data will likely be among the early targets of GDPR enforcement. All companies however, regardless of size, should consider how GDPR applies to their business. And while the U.S. may not adopt the European model of protecting personal data and privacy, American-based businesses would be wise to recognize it as a gold standard for collecting and sharing personal information. Seeking this higher standard of security and transparency will not only make organizations GDPR compliant, but will also give companies a competitive advantage as consumers look more to businesses that value data privacy and security.
The bottom line: Compliance with the GDPR may not be a legal requirement for U.S.-based companies, but it may be good for business. After all, with more news coverage brings more awareness of how companies are using data, and as a result, companies must do their part to solidify trust from their customers — or face the fallout like Facebook.
Michael Cohen is a principal and the privacy officer at the Gray Plant Mooty law firm, where he advises clients on legal matters involving data protection, privacy and security.