According to PYMNTS.com, e-Commerce related fraud attacks have risen by 30% in the past year. Each high-profile security breach, data leak, or hacking scandal has heightened consumer awareness about the vulnerability of their personal information, and this has placed businesses in a difficult position. On one hand, enterprises need as much consumer information as possible to deliver relevant, personalized communications that can enhance the overall customer experience and ultimately improve satisfaction. On the other hand, these same enterprises are also obligated to protect their customers’ privacy while remaining in compliance with an increasingly stringent and complex web of regulations that instituted and enforced by governments working to protect their citizens. Today’s businesses must strike a balance between harvesting consumer information while also keeping it safe, and this can be a substantial challenge.
The European Union’s General Data Protection Regulation (GDPR) goes into effect on Friday, May 25, threatening to make the balance that enterprises are struggling with even more precarious. The legislation is expected to influence the formation of data localization laws on a global basis, and it will likely have a major impact on where and how enterprises do business. GDPR, which replaces “Privacy Shield” in the European Union (itself a replacement for the “Safe Harbor” law), returns ownership of personal data (data that can be used to directly or indirectly identify an individual) back to the continent’s consumers and grants them sweeping control over its use. Any organization that gathers, archives, processes, or manages the personal information of one of the EU’s “data subjects” is now bound by this new regulation.
Consumers can exercise their “right to be forgotten” by denying permission to access their data. They can also request a copy of their data, or demand that it be standardized and sent to a third party. Under the terms of the GDPR, data protection must be included when systems are designed. In addition, customers must be notified of data breaches within 72 hours of their discovery, and there are certain cases where companies must name a data protection officer to communicate with the governing data protection authorities.
Businesses are now required to obtain permission before using their European customers’ data, and that consent can be withdrawn just as easily as it is given. As such, enterprises should maximize their efforts by targeting the prospects that they have the best chance of converting into customers and become more deliberate in their data selection. Any enterprise that is doing business in the EU must now audit all customer data and determine its use going forward.
In the weeks leading up to the implementation of GDPR, organizations have been preparing by sending their customers notifications to explain the what data is collected, how it is gathered, and how it is shared or internally leveraged. Some of these notifications are e-mails that include links to interactive applications, which enable consumers to specify their preferences regarding the frequency and format of future correspondence. Other businesses are taking a simpler approach, asking their customers to opt in for digital communications since the new regulations prevent companies from sending unsolicited e-mails.
A number of larger companies were able to commit dedicated resources to the GDPR initiative before it went into effect to ensure compliance ahead of time, but not all organizations are so well-prepared. According to recent survey data from Keypoint Intelligence – InfoTrends, financial services and insurance providers are generally better prepared for the implementation of GDPR than those in the retail and healthcare sectors. Unfortunately, our marketing survey results indicate that only 56% of enterprise respondents in Western Europe and 41% of those in North America have already taken steps to prepare for GDPR. Most respondents were aware of the new regulation, but a quarter of those in Western Europe and a third of those in North America believed that they would not be ready in time. If these organizations are investigated by the data protection authorities that are overseeing regional enforcement and are found to have made no efforts toward compliance, they could be penalized with fines as steep as 4% of their global revenues.
Although businesses without European customers might be tempted to breathe a collective sigh of relief, GDPR is sure to have wide-ranging implications for companies in every corner of the globe. Many nations will use the legislation as a benchmark to measure their own data protection provisions. For example, Argentina already had its own data protection laws in place, but recently chose to redraft them to match the GDPR provision. India, Hong Kong, Mexico, and South Korea have also taken similar measures, or are considering doing so.
Earlier this month, supporters of the California Consumer Privacy Act (CCPA) announced that their petition had secured enough signatures to place the provision on ballots in November. This proposed law is similar to GDPR and would require businesses to disclose the data on California residents that is collected, stored, used, shared, or sold. Customers would also have the right to deny the sale of their information and would have the option to sue for violations without fear of personal loss. The Act would apply to all organizations doing businesses in California that a) have annual gross revenues in excess of $50 million, b) sell the personal information of 100,000+ consumers per year, or c) earn at least half their annual revenues from selling that personal information. Opponents of the proposal argue that compliance would place an undue burden on businesses, increase the risk of litigation, and ultimately cripple California’s economy—especially since the information protected extends to Internet purchasing (and even browsing) history as well as interactions with websites, apps, and online ads.
Regardless of whether the CCPA becomes a reality, the GDPR is sure to create a ripple effect that will raise the threshold of data usage guidelines on a worldwide basis. Although remaining in compliance with GDPR will make it challenging for industry players—particularly SMBs and regional businesses—to up their games in the near term, the GDPR’s influence will likely go a long way toward standardizing data practices and solving some of the complexities of doing business on an international basis. Now is the time for businesses of all sizes to update their data collection and protection strategies with their legal advisors and IT providers. A little preparation can keep you on the right side of the law… and out of tomorrow’s headlines!