General Data Protection Regulation (GDPR) went to effect on May 25th of this year, with companies scrambling to protect EU citizens’ data records and switching to user opt-in consent. Some companies have responded by adopting certain new privacy standards for all of their users, regardless of location. For example, Microsoft announced that it believes GDPR “establishes important principles that are relevant globally” and that it will extend the Data Subject Rights at the heart of GDPR to all of its consumer customers around the world.
Other companies are taking a different approach. Some are creating separate sites for traffic that is coming or appears to be coming from the European Union, only collecting personally identifiable information or persistent identifiers from what it identifies as visitors not located in the European Union. Some U.S. sites have blocked EU traffic altogether.
Some companies have faced criticism for either not being prepared for GDPR, in spite of being aware of the date that it would go into effect all the way back in 2016. Other companies have faced criticism for their implementation.
On the very first day of GDPR enforcement, Google, Facebook, and Facebook subsidiaries WhatsApp and Instagram were hit with lawsuits alleging that the companies have asked customers to either agree to have their data collected, shared, and used for targeted advertising, or to delete their accounts. Companies can be fined up to 4 percent of their global revenue for GDPR violations, so no matter how these lawsuits end up playing out, business journalists may want to take note.
Even with the clear warnings and affirmative consent required by GDPR, companies that collect large swaths of data from users are responsible for securing that data, particularly if it is being retained and/or sold to third parties. Online privacy is having its day of reckoning, and even companies operating by the letter of the law may find themselves having to answer for their policies.
Since EU users now have a right to request that companies delete and stop sharing their data and that third-party firms stop using it as well, it’s worth paying to attention to whether U.S. users will make those demands as well. GDPR also requires businesses to anonymize routinely collected data and add other data protection to their operations. Since so many U.S. companies do business in the EU, this could have an effect on privacy policies in the U.S. as well.
In many cases, GDPR requires organizations to report certain types of data breaches involving unauthorized access to personal data, or a loss of personal data, to a supervisory authority within 72 hours, and to the victims soon thereafter.
Look for companies to improve their processes for detecting and addressing data breaches, and to increase the amount of spending on security firms offering penetration testing to ensure that their customer portals are well-designed and secure. Some European organizations may even open up bug bounty programs to crowdsource their security and allow tech-savvy citizens to find critical bugs in their companies before the bad guys do.