Europe’s sweeping privacy law creates opportunities to improve compliance and business practices.
GDPR Day is Here
After a two year grace period, countless articles and presentations analyzing its content and impact, millions spent on compliance and legal consultants, and last minute scrambling, the General Data Protection Regulation (GDPR) is here. Today, a sleepy Friday before the unofficial kick off of summer in the US, EU member countries will begin enforcing the vast privacy law.
The GDPR builds on EU privacy law, dating back more than twenty years, by (among other things) granting specific rights to individuals to control their personal data and by adding some serious teeth to European privacy law in the form of penalties of up to the higher of 4% of a firm’s global annual revenue or €20 ($23.4 million) for violations.
The GDPR is remarkable for its reach, applying not only to firms operating in the EU, but to any business that targets EU customers. Many American firms have been slow to appreciate the law’s impact on them, thinking that they are American company and this is a European law. Not so. For example, an American restaurant, which serves European tourists (and naturally collects data on those EU citizens when taking reservations and recording credit card transactions), must comply with GDPR.
As one would expect with such a disruptive legal requirement, GDPR has caused great angst amongst firms of all sizes in all industries, with many reporting that even as of today, when enforcement of the law commences, they are noncompliant or only partially compliant. But, smaller firms, and particularly smaller firms in the US who serve few European clients (like the aforementioned restaurant), need not sweat too much – at least not yet. EU regulators have consistently stated that early enforcement will focus on what they deem are the biggest risks and biggest violators.
Still, GDPR is here and firms have to comply. But, beyond mere compliance with the law’s specific requirements, GDPR presents an opportunity for firms to improve not only their data collection and management practices, but to reassess how they are using data.
The reaction to GDPR among American firms has been mixed. But, many of the smart ones have noted that they have used today’s impending deadline as a reason to reassess the data they collect, how they store it, and how they use it. At least in the abstract everyone recognizes the value of data, but many firms, big and small alike, will readily admit that at a minimum they are not efficiently using that data, or worse they do not fully understand what data they have or how to use it at all.
GDPR demands that firms map the data they collect and how they use it. This, in turn, should demand that firms look how they can collect, store, and use that data, not just from the legal/compliance lens, but for business purposes as well. Many firms have acknowledged that this is a positive side effect of GDPR.
Such an approach need not be a one off. Compliance and regulatory burdens on small and mid-sized firms are real and despite some of the deregulation push in Washington, they are not going away. Yet, there can be benefits to focusing on compliance, including a push for efficiency and implementation of best practices in sometimes ignored areas. The GDPR provides such an example.