Get All Access for $5/mo

Facebook's Data Scandal and Europe's New Data Privacy Rule Have Massive Implications for U.S. Entrepreneurs Facebook's accelerating fall from grace comes just as the EU is implementing what is likely to be the global gold standard for data regulation.

By Arndt Groth Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Chesnot | Getty Images

Seemingly every day, a new story breaks around Facebook and its ongoing, ever-deepening privacy debacle. It was sparked by the revelation that Cambridge Analytica, a political consulting firm that had worked with Donald Trump's presidential campaign, harvested data from 50 million Facebook users. (Facebook apologized in grand fashion.) Now Facebook faces additional scrutiny over its practices around logging calls and texts on Android devices. (Facebook has not apologized on this one.)

Business owners and entrepreneurs around the world continue to watch Facebook's latest privacy flubs unfold, possibly with a subtle sense of schadenfreude. But here's the rub: These kerfuffles are precisely the sort of flashpoint that culminates in new regulation -- regulation that applies to all businesses, not just titans like Facebook. While the regulatory wheels often turn slowly in the U.S., there's already a model for modern data privacy materializing in the European Union, in the form of the General Data Protection Regulation (GDPR).

This sweeping data privacy regulation goes into effect on May 25, 2018, and its implementation will be watched closely worldwide. As privacy concerns mount in the United States, the GDPR could very well serve as a model for best practices in data privacy going forward.

If your business -- be it small or large, private or public -- is handling data of European consumers, you already need to be drastically altering your data management practices by the May deadline. But in light of the current winds of change blowing in the U.S., now is also an opportune time to begin evaluating the implications of broader privacy regulation -- this time in the U.S. -- that could be on the horizon. A "wait and see" approach to the GDPR, and online privacy in general, may prove costly, even for small businesses.

Related: Making Your Data Unreadable to Whoever Steals It Might Be the Only Way to Keep It Safe

The GDPR and U.S. small businesses.

The intention of the GDPR is relatively simple: to give EU citizens and residents greater control of their personal data. In our global economy, the GDPR affects a sizable proportion of all online businesses. It applies to all entities, located anywhere in the world, that control or process the personal data of EU data subjects. And just as location does not exempt companies from GDPR compliance, neither does size. The GDPR affects large multinational corporations and small businesses alike. There is no exclusion under the current GDPR for businesses with only a few employees.

If you're wondering if the GDPR affects your business, here's a simple flow chart for evaluation purposes.

The need to comply with the GDPR carries real associated costs which include data audits, IT upgrades and internal expertise to ensure ongoing compliance. Any company tempted to take a "see if they catch me" approach to avoid compliance costs needs to consider this: The fines for non-compliance can range as high as €20 million (almost U.S.$24 million) or 4 percent of global annual turnover -- whichever is greater. That's a hefty gamble.

For U.S. businesses that need to comply with the GDPR (full regulation here) -- or for those looking to employ what may eventually be global best practices -- below are some steps that can be taken now.

Related: Read Mark Zuckerberg's Full Statement on Facebook's Data Scandal

Review existing data.

In addition to understanding whether you manage data belonging to EU data subjects, determine the types of personal data (email, IP addresses, etc.) that you collect, where it's coming from, where it goes, and how you use it.

Assess data collection and processing practices.

In particular, determine what level of consent you're obtaining for the data you collect. Under the GDPR, consent needs to be clear and specific. In addition, evaluate your security measures and policies (or get them in place altogether) to ensure they comply with the GDPR.

Related: Mark Zuckerberg Doesn't Seem Very Sorry or Very Forgiven

Review agreements with third-party data suppliers and processors.

Ensure that your suppliers and contractors (and related third-parties) are GDPR-compliant to avoid being impacted by any breaches and consequent penalties on their part. Update your contracts to place certain GDPR obligations on your suppliers and contractors, such as the need to notify you if their data is breached.

Re-permission existing data if needed.

Under the GDPR, you may need to ask data subjects for permission to use certain data of theirs you already have. In cases where it's unlikely that you'll gain consent if you ask (or you don't have permission to contact the person), it may make sense to delete the data altogether.

Update your IT infrastructure.

You not only need to have the proper permissions to use customer data, but you also must protect it properly. This may require enhanced security on behalf of your IT team and additional technical and organizational safeguards.

Consider a data protection officer (DPO).

Most small businesses may be exempt from the GDPR's requirement to appoint a DPO. If your company monitors data on a "large scale" and as a regular part of its "core business," or processes sensitive data on a "large scale," you need a DPO in place.

Related: Facebook's Brand Is Becoming the Uber of Social Media, and That's Not a Good Thing

Document your compliance efforts.

Make sure you keep track of the steps you take toward GDPR compliance. Without a doubt, not all companies are going to be GDPR-compliant right out of the gate, but being able to demonstrate good-faith efforts toward adherence to the regulation may go a long way if your organization comes under question.

Above all, small-business owners and entrepreneurs must stay abreast of the fast-evolving data privacy landscape. In the case of the GDPR, the regulation and its enforcement are upon us, and companies must actively work to ensure initial and continued compliance. But more generally, businesses must also prepare for a future in which data privacy best practices become broader mandates worldwide. Today's Facebook headlines may very well illustrate tomorrow's data reality for many businesses.

Arndt Groth

President of Smaato

Arndt Groth joined Smaato as president in September 2017. He has more than 20 years of executive-level experience in business leadership and digital marketing. Prior to joining Smaato, Groth was CEO of publicly listed PubliGroupe AG in Lausanne, Switzerland, which he guided through its acquisition by Swisscom AG. Previously, Arndt founded DoubleClick Germany and then went on to be DoubleClick’s VP Media Northern Europe. He started his career on the publisher side at the Georg von Holtzbrinck Group and at Hutchison Mobile.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick


The 4 Pillars of Leadership Success

Being a good leader can feel like an abstract goal, but it doesn't have to be. Here are the four pillars that I believe are the foundation of effective, successful leadership.

Side Hustle

This Former Disney Princess Lived 'Paycheck to Paycheck' Before Starting a Side Hustle at Home — Now She Makes $250,000 a Year

Victoria Carroll's income was "sporadic" until a friend encouraged her to take her talents to Fiverr in 2018.


How to Know If a Local Business Has Franchise Potential, From a Guy Who Built One Into 80 Locations

Wade Brannon had already built and sold one franchise when a kid's hair salon in his area caught his interest.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

Amazon Is Reportedly Tracking 'Coffee Badging' Workers and Their Real In-Office Hours

Leaked Slack messages showed employees had a minimum number of hours they needed to be in the office for the time to count as an in-office day.