Posted by Eno on July 16, 2018
Probably not. But don’t fear, #TeamBTI is about to break it down for you.
What’s the 411?
This May, the European Union launched the General Data Protection Regulation (GDPR). This is a set of privacy rules set by the EU, but it has global implications that most businesses with a website should be aware of.
(Image Source: European Commission)
Unlike CASL in Canada, which is more of a series of consent-based regulations, GDPR focuses on personal data protection which includes both names and addresses, but also gets as detailed as an individual’s shopping habits, cookies and IP address. At this stage in an internet-dependent 21st century, you might imagine the astronomical value behind all of this data. This said, businesses are truly taking a loss with the reduced ability to collect such data, while consumers rejoice at higher privacy regulation and peace of mind while browsing and posting online.
Facebook has recently been under fire by the U.K. Commissioner’s Office because of their controversial business with Cambridge Analytica back in 2015. The social network giant was accused of sharing data of up to 2.7 million Europeans with Cambridge Analytica, the company that consulted on the Trump Presidential campaign. (AdAge)
This opens the floor to a discussion about a larger issue, as Facebook has been systemically misusing data over the years, amounting up to 87 million users’ data on the social network. Although Facebook has yet to conduct an internal audit, the U.K. ICO has already suggested a fine of about $664,000– and this is based on pre-GDPR regulations! Since this occurred in 2015, the GDPR policy cannot retroactively punish Facebook. But if this were to happen in the present day, the U.K. ICO could levy as much as 4% of the business’s annual sales across the globe. Facebook made $40 million in 2017. (AdAge) You do the math.
How does this affect my business?
The negative repercussions that Facebook is facing for their data practices from a pre-GDPR web, 3 years ago are indicative of a systemic shift in the way data will be handled in the future. The web is changing, and this should be an early warning to every business on the internet, to either comply or shut down.
The internet is a global entity, it doesn’t belong to any one country, nation, or group of countries. It’s constantly evolving and although the GDPR is an EU specific policy, we will see global social networks, news sites, and content sharing platforms change their current policies and data mining strategies to comply with the new laws.
As of the end of May, Japan, South Korea, and Brazil are already prepared to follow Europe in passing similar laws regarding data protection. Trade embargos are being used as an incentive to encourage other countries to follow Europe.
Finally, we will see a shift in the way that targeted advertising functions in the future. As businesses will not be able to mine and utilize as much data as in the past, they will either have to innovate in the way they target customers, or the modern targeted ad model will be a thing of the past.
I’m Canadian Though...
How does this affect us living here in the Great North? The principles of "privacy by design" has been recognized in Canada since the 1990's. The concept details the future of privacy and how it cannot be assured solely by compliance with regulations. So, it’s particularly important for businesses to apply appropriate technical and organizational measures to safeguard consumer data. Here are some best practices for you to consider:
- Proactively updating IT systems to be hack-proof which includes software updates, implement new techniques, etc.
- Auditing your data on a regular basis
The Cost of Non-Compliance
(Image Source: Forbes)
The cost of non-compliance is astronomical. After a series of warnings and data processing suspensions, you or your business could be fined up to $30 million CAD. It is also worth noting that, if you fail to report a data breach that is likely to jeopardize the rights and interests of your European customers within 72 hours, the penalty will increase - that is NOT a lot of time.
Some businesses might be concerned about paperwork, staff training and budget calibration, etc, but it’s time for you to step up your game on privacy compliance.
Proactive business owners will ensure GDPR compliance by being proficient in documenting data flow, updating their terms of services and privacy policies, auditing their recording policies, and training employees in privacy and data sensitivity.
Is your business GDPR compliant? Contact the team at BTI for an internal audit and professional guidance.