Data privacy is a big deal right now. Facebook is the latest company facing lawsuits and a PR nightmare related to the way they handled their customer’s data. However, Facebook is not the only company that needs to re-think its privacy related policies. The current data issues that Facebook is facing places the spotlight on an issue that has been brewing for some time.
Privacy and control over what companies do with personal information is a common concern held by people around the world, from all walks of life and all political persuasions. While there are differing views on whose responsibility it is to protect data, most agree that there should be some safety measures taken. In the US, most states have some laws related to data breach and data security but the US does not have a comprehensive federal data security law. The European Union has enacted a stringent regulation called the General Data Protection Regulation (GDPR). The GDPR goes into effect in May 2018 and places strict rules on what companies can do with the personal data of EU residents. Read here about the 5 steps your company needs to take before May.
GDPR requires companies to closely monitor and control their collection of personal data of EU residents. “Personal Data” is broadly defined and includes details such as name, date of birth, social security number, financial information, address, email addresses, IP addresses, sexual orientation, and religion. Under the GDPR, individuals have a right to opt in to having their data collected, to know what data is being collected, why it is being collected, who is receiving it, to request copies of all personal data a company has of theirs, to opt out of the data collection, and to have it deleted completely from the company’s records. In order to comply with these and other requirements, companies need to have processes and policies in place to act quickly. Non-compliance can result in massive fines of up to 20 million Euros or 4% of the company’s global turnover, whichever is higher, per breach. These are serious consequences and US business need to be prepared. While Facebook has been highly criticized for the Cambridge Analytica data scandal, their recent changes regarding privacy have likely been in the works for some time. Like other businesses, Facebook has to be compliant with the GDPR by the May 2018 deadline.
The GDPR is an EU regulation but that doesn’t mean that US businesses don’t have anything to worry about. Even companies without a physical presence in the EU could be liable for violations of the GDPR. Like Facebook, businesses that collect personal data from any EU resident need to make sure they are compliant with the GDPR by May. The recent PR scandal Facebook is dealing with highlights the public’s demand for transparency and providing greater control to consumers.