GDPR is sneaking up on American businesses. It’s like watching a horror film. Everything is quiet, but you know something really scary is hiding around the next corner.
These four simple letters, GDPR—the Global Data Protection Regulation—take effect May 25. It’s a European policy that focuses on the appropriate collection, use and storage of any data that can be linked to European citizens. Any piece of data that can be used to identify a person is covered: name, date of birth, physical address, IP address, etc.
Most American businesses—from small shops to big corporations—have data that is covered by GDPR. The data is in employee databases, website analytics, email or contact lists, vendor databases, payment systems, user accounts, or even behavioral data pulled from any of the social media services. The EU regulators have a big stick to make sure GDPR is enforced: Non-compliance could trigger fines of up to 4 percent of a business’s global revenue.
Nearly one in 10 American Facebook users deleted their accounts following the discovery that Facebook did not prevent Cambridge Analytica’s misuse of personal information. Users and customers have higher expectations regarding appropriate use and control of their data. It’s not just about words; it’s about execution.
With 5,000 records breached per minute and malware attacks happening all the time, figuring out how to be GDPR-compliant is just common sense. Data is a business asset; how it is accessed and used does affect the success or demise of a business. Smart leaders have already been investing in structured processes to inventory, organize, control, share, erase and govern data.
A key pillar of GDPR is “The Right To Be Forgotten.” An EU citizen has the right to request that any identifiable information about him or her be erased by the business that has it.
For example, an EU citizen who is not happy about Google search results for his or her name, phone number, address, IP, etc., can demand that Google erase all of those search results. Google must also put controls in place to ensure that the person’s historical and future identifiable data does not appear in future search results. Imagine the data controls and measures Google needs to put in place to comply with these kinds of requests.
Being a good steward of identifiable data creates additional challenges for startups and small businesses. Some will evaluate their risk and choose to do nothing different. Others will decide to invest in being compliant to the best of their abilities.
Still other businesses will just close up shop. In fact, there have already been reports of a few European businesses that have looked at GDPR’s requirements and, deciding they are insurmountable, are shutting down.
The potential downside risk associated with GDPR for American businesses is extreme. The horror is that not enough businesses are paying attention, and American bank accounts have the potential to be slaughtered.•
Eilenberg is founder and CEO of Lodestone Logic, an Indianapolis-based global consulting firm.