For many companies using personal data for their day-to-day functions, there’s something daunting about the European Union’s General Data Protection Regulation (referred to as “GDPR” or “the Regulation”). It’s that the EU’s regimen of personal data protection — a massive, meticulously detailed piece of legislation adopted by the European Parliament in 2016, with representation from each member state, which superseded the European Data Protection Directive of 1995 — made it abundantly clear the treatment and use of personal data will be taken very seriously, and noncompliance will lead to hefty financial penalties.
But, why are we even talking about a piece of legislation that originated in the EU over here in the U.S.?
The short answer? Its scope. GDPR is one of the most expansive and far-reaching regulations we’ve seen in recent history. The Regulation not only applies to those companies located within the EU, but also to those companies offering their goods and services to individuals (so-called “data subjects” under the GDPR) residing within the EU. So, to the extent that companies target EU data subjects, GDPR’s reach is without bounds. And in today’s global economy where everyone senses an increasing interconnectedness, GDPR’s reach can’t be understated.
Another reason? It’s fundamentally shaking up the way U.S. companies treat personal data, starting with the way we define it! When you think of personal data, we typically think of someone’s name, social security number, or their address. Under GDPR, personal data is defined as “any information relating to an identified or identifiable natural person,” which even encompasses an individual’s location data (e.g., IP address), and traits associated with cultural or social identities (e.g., political parties and professional affiliations). So, GDPR has significantly broadened the way U.S. companies view personal data.
While this shake-up should not be characterised as your typical power struggle between businesses and individuals, GDPR is undoubtedly emphasizing individuals’ privacy rights. Since the dawn of Big Data, where companies have more access to personal data than ever before, companies have struggled with balancing the interests of individuals against the legitimate needs of commercial business.
In the U.S., without a comprehensive set of privacy protection laws, like the EU’s GDPR, that balance has trended heavily in favour of businesses unless the information at issue was considered highly sensitive information, such as personal financial data or personal health information. Whereas U.S. companies have traditionally marginalised personal data rights, a fundamental tenet of GDPR is that the ownership of personal data – no matter how legitimately it may have been acquired or at what expense – remains the property of the person identified by that data, not with the organisation which acquired it.
And because ownership resides with the data subject, the data subject has the right to rule over its data, including among other things:
- See what information is stored and used, and for what purposes (i.e., right to information)
- Object to how personal data is used
- Demand that personal data be corrected
- Be forgotten (within reason)
- Access and receive any personal data held about the data subject by the organisation
So, what other ways is GDPR impacting the U.S.?
For starters, EU companies take GDPR seriously, and it’s increasingly difficult to do business with EU companies unless you also take compliance seriously. The road to compliance, however, can be burdensome and expensive, especially for those companies that heavily collect and process personal data. For companies like Google and Facebook (where data is a core business), and for companies that provide services involving sensitive data such as health care (where data is a high-value by-product), the impact of GDPR on U.S. companies has been massive. In fact, its provisions are sufficiently exacting that some U.S. companies elected to withdraw from targeting European consumers once GDPR went into effect back in May 2018, instead of facing the significant costs of implementing compliance measures and risking heavy fines.
Even so, lots of U.S. companies saw GDPR as a wave of what’s to come, and rather than retreat from European consumers, they turned and faced GDPR head on. These companies are making a good-faith effort to comply with all 99 articles of GDPR by doing the following:
- Increasing security budgets
- Appointing Data Protection Officers
- Bolstering Compliance Departments with proper resources
- Integrating top-down routine educational initiatives to make employees aware of the new rules throughout the U.S.
- Implementing and offering robust data privacy documentation (including data processing agreements)
And the trend for GDPR-like laws keeps growing. It’s picking up steam in parts of the U.S., with states enacting their own data protection laws, while also gaining more traction in Eastern Europe, Asia, Middle East, and South America. While that must be attributed, in part, to the growing support for heightened individual privacy rights, it can also be correlated to the growing concern in the U.S. and abroad that the volume of personal data collected, held, exchanged, combined, sold, and otherwise used by organisations to influence behaviour has gotten out of hand. Sometimes quite literally, exemplified by the number of breaches over the past few years, where data has escaped the hands of the organisations that held it.
Here are some of the states or countries around the world enacting, or planning to enact, laws targeting improvements in personal privacy:
- Brazil (General Data Protection Law takes effect in February 2020)
- Bahrain, Serbia, and Hong Kong (recently enacted data privacy laws)
- Switzerland, Israel, and Uruguay (in the process of amending existing laws to align more closely with GDPR)
- California (CCPA takes effect January 1, 2020)
- New York and Nevada
- And at the national level, there are steps being taken to consider a first-ever comprehensive U.S. Federal Privacy Law
Still, why would companies outside of Europe and the above-mentioned locations take it upon themselves to comply with such a demanding regulatory protocol, particularly if they were legitimately outside the reach of GDPR and these other privacy laws?
There are several good reasons:
- It shows your customers that you have a serious commitment to individual privacy rights.
- It indicates a serious commitment to technical infrastructure and organisational security policies. GDPR requires that you have appropriate technical and organisational security measures in place.
- Many in the marketing community argue that it produces higher levels of customer engagement. Given that you must have a lawful basis for collecting and processing personal data, it encourages you to really focus on the customers that either need to be contacted (legitimate interest) or want to be contacted (provided consent).
- It forces you to take cybersecurity seriously, requiring a deep dive into all the technical and organisational security measures you have in place to ensure personal data is protected. It encourages a methodical analysis (and accompanying documentation) of an organisation’s security infrastructure, policies, guidelines, and practices that result in a more secure organisation.
Simply put, being GDPR-compliant, and doing business with companies that are also compliant, can bring significant benefits to both sides of the transaction – reducing marketing waste and business risk while increasing consumer confidence. And that’s nothing to be afraid of.
Gared Conner, Deputy General Counsel and Head of Legal Americas, TeamViewer