The regulatory environment for digital organizations that handle their customers’ data—that is, pretty much all organizations—is poised to get more challenging, thanks to sweeping changes going into effect in the next few years or sooner in the European Union (“EU”) and the United States. The upshot? To turn the new regulatory environment into a competitive advantage versus a disadvantage, companies need to start adapting quickly. Several specific changes in online business are in the offing as a result, including data portability requirements, “right to be forgotten” provisions, not to mention a rapidly-evolving patchwork of regulation that changes from country-to-country across the globe and from state-to-state in the U.S.
As societies worldwide grapple with the implications of the massive amounts of personal data we all generate every day, customers are demanding and getting more control over their information, thanks to a responsive regulatory environment. Organizations must get in line or they risk fines, penalties, reputational damage and even being put out of business. Here are some changes organizations should watch out for.
Shift to consumer control over data. The European Union parliament in 2016 approved a new regulation that bolsters data protection measures for individuals in the EU. The General Data Protection Regulation is intended to give individuals control over their personal data and simplify the regulatory environment for global companies by creating greater uniformity across the EU. It is too early to know how this might be impacted by the recent events surrounding Brexit. Despite this uncertainty and the assumption that the regulation will not be enforced until 2018, it is not, however, too early for companies that do business in the EU to start preparing now.
The implications are sweeping. One part of the regulation calls for data portability, whereby an individual must be able to transfer personal data from one processing system to another in a commonly used format, on request. Fines for noncompliance can be up to 20,000,000 EUR, or in the case of an undertaking, 4 percent of total global revenue, whichever is greater. In addition to this overall regulation, each individual member state can create their own legislation, so global companies doing business in the EU must still pay attention to both union-wide and local regulations – as well as keep an eye on the evolving Brexit situation.
Right to be forgotten. The EU’s new data regulations also include a “right to be forgotten” provision. Stemming from a 2010 lawsuit in Spain, the 2016 regulation codifies, with some exceptions, the notion that individuals can request to have their personal data erased from a company’s database without undue delay. This includes data collected by third parties and then stored by a company. It also includes data stored outside the European Union. Google last year found itself facing fines in France if it didn’t comply with the ruling, and after fighting it, the search giant relented and has begun blocking some search engine results regarding people who have made right-to-be-forgotten requests. Unless exceptions apply, companies that don’t want to find themselves facing the kinds of sanctions Google did should implement quick and efficient measures to erase the personal data of customers who request it.
More stringent state laws in the U.S. While the U.S. hasn’t passed regulations as sweeping as those of the EU, some states have been implementing their own data protection measures. For example, California law requires websites that collect data about users to conspicuously state the type of information they’re collecting, the types of third parties to which they might provide that information and their online tracking practices. Connecticut and Massachusetts also have stringent laws protecting consumers’ data and requiring companies to safeguard that data.
These regulations have different penalties for noncompliance. Depending on the type and severity of the violation, some include very high fines, halt the processing of payments, threaten civil lawsuits and more. Data protection laws are now scaling to the point where companies that haven’t been complying will struggle to catch up. As more players fall behind, companies that have done the work of implementing efficient data privacy systems and processes for compliance will have a competitive advantage. And maintaining a reputation as a company that respects and responds to consumers’ concerns about their data is becoming more critical every day.
Data has the potential to make companies a lot of money—and some companies have already capitalized on the opportunity. However, companies that have relied on their own ad-hoc best practices or even their own sense of right and wrong to manage customer data can no longer play data privacy by ear. Companies that do business on the internet must take seriously their role as custodians of personal data by storing and transmitting it securely. And now it’s not just the right thing to do—it’s the price of doing business in some of the world’s most desirable markets.
Dyann Bradbury is senior director of corporate compliance at Digital River, a leading global provider of Cloud-based e-commerce solutions that specializes in building and managing online businesses across more than 240 territories and countries.