What You Need to Know About the EU’s New Data Rules
If your company is based in Europe and manages customer data, then you have been preparing for this day. The European Union put a sweeping set of new data and privacy rules into effect, giving consumers more control over their digital footprints and a right to know how private companies use their data. Organizations headquartered elsewhere need to pay attention, too, though: These rules apply to anyone that collects digital information from customers living in Europe. If you serve a single individual on the continent, you may need to revamp your data policies.
The new standards are known as the General Data Protection Regulation (GDPR), and many of the rules will be familiar to tech executives who are accustomed to infosec compliance. Data harvesters will need to ensure that their vendors comply with the standards, for example, and some will need to bring on data protection officers (DPOs). Requirements regarding data access monitoring will also be stepped up, and scrupulous records regarding all data-processing activities must be maintained.
The regulations aren’t without their controversies, though. When it comes to data breaches, the Europeans are imposing extremely stiff measures: Incidents must be publicly reported within 72 hours of the event, and companies that fail to do so can be fined tens of millions of dollars. GDPR also gives consumers the “right to be forgotten,” meaning that data holders must delete a user’s personal information upon request—but what exactly constitutes “personal information” is something that’s sure to be litigated.
It also remains unclear how well European authorities will be able to enforce these measures among companies based outside their territorial jurisdiction. As brands grow internationally and data takes on a global perspective, the notion that a particular region can govern its worldwide use raises questions.
Either way, GDPR represents an earnest effort to move companies away from long and unreadable user agreements and toward more easily interpreted notices to their customers. Data harvesters will have to explain in simple terms how they collect users’ information and what they will do with it, and those uses must fall into a set of predetermined categories. That’s a good thing, and data harvesters should embrace it. Rules like that increase transparency, and with it consumer confidence—so at the end of the day, companies that strive for openness, easy access, and honesty will have a competitive edge.