Facebook's Data Scandal and Europe's New Data Privacy Rule Have Massive Implications for U.S. Entrepreneurs
Seemingly every day, a new story breaks around Facebook and its ongoing, ever-deepening privacy debacle. It was sparked by the revelation that Cambridge Analytica, a political consulting firm that had worked with Donald Trump’s presidential campaign, harvested data from 50 million Facebook users. (Facebook apologized in grand fashion.) Now Facebook faces additional scrutiny over its practices around logging calls and texts on Android devices. (Facebook has not apologized on this one.)
Business owners and entrepreneurs around the world continue to watch Facebook’s latest privacy flubs unfold, possibly with a subtle sense of schadenfreude. But here’s the rub: These kerfuffles are precisely the sort of flashpoint that culminates in new regulation -- regulation that applies to all businesses, not just titans like Facebook. While the regulatory wheels often turn slowly in the U.S., there’s already a model for modern data privacy materializing in the European Union, in the form of the General Data Protection Regulation (GDPR).
This sweeping data privacy regulation goes into effect on May 25, 2018, and its implementation will be watched closely worldwide. As privacy concerns mount in the United States, the GDPR could very well serve as a model for best practices in data privacy going forward.
If your business -- be it small or large, private or public -- is handling data of European consumers, you already need to be drastically altering your data management practices by the May deadline. But in light of the current winds of change blowing in the U.S., now is also an opportune time to begin evaluating the implications of broader privacy regulation -- this time in the U.S. -- that could be on the horizon. A “wait and see” approach to the GDPR, and online privacy in general, may prove costly, even for small businesses.
The GDPR and U.S. small businesses.
The intention of the GDPR is relatively simple: to give EU citizens and residents greater control of their personal data. In our global economy, the GDPR affects a sizable proportion of all online businesses. It applies to all entities, located anywhere in the world, that control or process the personal data of EU data subjects. And just as location does not exempt companies from GDPR compliance, neither does size. The GDPR affects large multinational corporations and small businesses alike. There is no exclusion under the current GDPR for businesses with only a few employees.
If you’re wondering if the GDPR affects your business, here’s a simple flow chart for evaluation purposes.
The need to comply with the GDPR carries real associated costs which include data audits, IT upgrades and internal expertise to ensure ongoing compliance. Any company tempted to take a “see if they catch me” approach to avoid compliance costs needs to consider this: The fines for non-compliance can range as high as €20 million (almost U.S.$24 million) or 4 percent of global annual turnover -- whichever is greater. That’s a hefty gamble.
For U.S. businesses that need to comply with the GDPR (full regulation here) -- or for those looking to employ what may eventually be global best practices -- below are some steps that can be taken now.
Review existing data.
In addition to understanding whether you manage data belonging to EU data subjects, determine the types of personal data (email, IP addresses, etc.) that you collect, where it’s coming from, where it goes, and how you use it.
Assess data collection and processing practices.
In particular, determine what level of consent you’re obtaining for the data you collect. Under the GDPR, consent needs to be clear and specific. In addition, evaluate your security measures and policies (or get them in place altogether) to ensure they comply with the GDPR.
Review agreements with third-party data suppliers and processors.
Ensure that your suppliers and contractors (and related third-parties) are GDPR-compliant to avoid being impacted by any breaches and consequent penalties on their part. Update your contracts to place certain GDPR obligations on your suppliers and contractors, such as the need to notify you if their data is breached.
Re-permission existing data if needed.
Under the GDPR, you may need to ask data subjects for permission to use certain data of theirs you already have. In cases where it’s unlikely that you’ll gain consent if you ask (or you don’t have permission to contact the person), it may make sense to delete the data altogether.
Update your IT infrastructure.
You not only need to have the proper permissions to use customer data, but you also must protect it properly. This may require enhanced security on behalf of your IT team and additional technical and organizational safeguards.
Consider a data protection officer (DPO).
Most small businesses may be exempt from the GDPR’s requirement to appoint a DPO. If your company monitors data on a “large scale” and as a regular part of its “core business,” or processes sensitive data on a “large scale,” you need a DPO in place.
Document your compliance efforts.
Make sure you keep track of the steps you take toward GDPR compliance. Without a doubt, not all companies are going to be GDPR-compliant right out of the gate, but being able to demonstrate good-faith efforts toward adherence to the regulation may go a long way if your organization comes under question.
Above all, small-business owners and entrepreneurs must stay abreast of the fast-evolving data privacy landscape. In the case of the GDPR, the regulation and its enforcement are upon us, and companies must actively work to ensure initial and continued compliance. But more generally, businesses must also prepare for a future in which data privacy best practices become broader mandates worldwide. Today’s Facebook headlines may very well illustrate tomorrow’s data reality for many businesses.