Almost 92% of America’s population uses the internet daily, and most are entirely unaware of where their data is going. Even if they know about the risks, people tend to keep blinders on and assume that companies are ethical with the data collected. And while it may be easy for companies to embrace consumer ignorance, enhancing data protection systems and complying with major global privacy law updates sooner than required will give businesses a leg up.
Technological evolution has fundamentally changed how we interact with the world. Consumers confidently share personal information without a second thought—banking information, contacts, social media data, IP addresses, and browser cookie data. (You’re probably sharing information right now by reading this article.)
Consumer data is vital for businesses to improve customer communications and experiences. This fundamental change in the way we interact with the world raises questions that have yet to be answered as the social and political landscape is trying to understand this change (just as it was during the Industrial Revolution). To whom does the data belong? Who can regulate the data and based on what? Is it based on where the data is stored or where the person originates? What happens if data is stolen and a person is harmed? Who is responsible? These are questions that the US government has yet to deal with. Dealing with them does not mean intervention with the liberties and freedom of people and businesses, it just means that a meaningful conversation happens and we decide as a society what is important to us.
More than three years ago, the European Union created the General Data Protection Regulation (GDPR) to address many of the questions above. This data privacy law protects users’ sensitive information by requiring organizations to keep data safe while giving people more control over how their data is used and determining who owes the data. This law also made sure that clients are aware of the data collected and the intent the business has when collecting it. This enabled people to consent to the use and therefore has resulted in better data management and use in the EU.
Without GDPR, various companies take one-sided actions as a way to show they are protecting their clients. A good example is Apple disabling all third party cookies and presenting it as “enhanced privacy.” The result is that they decided for their clients that they will not get personalized offerings. The same has been done by Facebook, Instagram and Twitter. After all, it will not surprise anyone that profit-seeking companies are not always the best candidates for setting social norms. The EU GDPR law, on the other hand, standardized actions and allowed for people to decide what they want rather than be led.
Under the GDPR, individuals have eight data subject rights that companies are obligated to uphold:
- The right to be informed: individuals must be notified before companies collect personal data. Consumers must opt-in for their data to be gathered, and consent must be freely given rather than implied.
- The right to access: individuals have the right to know exactly what information is held about them and how it is processed. The company must provide a copy of the personal data free of charge and in an electronic format if requested.
- The right to rectification: individuals will be entitled to have personal data updated if it is inaccurate or incomplete.
- The right to erasure: if consumers are no longer customers or withdraw their consent for companies to use their data, they hold the right to have their data deleted.
- The right to restrict processing: consumers can request that their data is not used for processing. Their record can remain in place but not be used.
- The right to data portability: individuals can transfer their data from one service provider to another for their own purpose.
- The right to object: individuals are entitled to object to their data being used for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received.
- The right to avoid automated decision-making: individuals have the right to demand human intervention rather than have important decisions made solely by algorithm. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them or is based on automated processing.
The GDPR goes beyond most US compliance laws, which only protect data that others can use to commit fraud. In addition to names and government ID numbers, the GDPR also protects information that can connect to a person’s “physical, physiological, genetic, mental, economic, cultural, or social identity.”
While this regulation is a requirement in the EU, American businesses can be affected even if they do not have a physical presence, such as employees or offices. The GDPR does not specify EU “residents” or “citizens” but applies to the processing of “personal data of data subjects” in the EU by controllers and processors. In Article 3 of the GDPR, the regulation encompasses the “processing activities” related to (1) offering goods or services; or (2) monitoring data subject behavior that takes place in the EU.
But it’s not just Europe with increasing privacy concerns. California enacted its own consumer privacy laws, the CCPA, at the start of 2020. Like the GDPR, the CCPA allows consumers to access and delete their data and broadly defines the data that needs protection. The California law is also spurring copycat legislation in other states.
Many US-based companies already have European customers or will expand to meet them in the near future. Required or not, it makes enormous sense for any business to be GDPR-compliant rather than risk violation fines—and it’s advantageous for market differentiation.
How GDPR can benefit US companies
In a digital world, companies must provide outstanding customer experiences, including data security and accountability. Transparency around data collection and use builds loyal customer relations, which GDPR enforces. This framework is built to ensure personal and important information is not jeopardized. GDPR is there to save people from losing their assets. In a nutshell, GDPR compliance equals a safer, and therefore better, customer experience.
Reaching full GDPR compliance signifies that an organization has achieved a high level of data protection, which saves time and hassle when dealing with transgressions—an attribute that all customers, clients, and business partners can appreciate. My company, Regpack, has the highest level of GDPR because our databases separate the value of the information from its key. So if a breach ever occurred, our saved personal identifying information (PII) wouldn’t be exposed because hackers can’t access the algorithm that connects the keys with the values. By requiring information to be split between entities, we have disabled hackers’ ability to gather personal data, creating a secure structure, particularly for PII.
Breaches erode consumer and business partner trust, tarnish brand appeal, and impact future purchases. The GDPR is the EU’s way of putting individuals, prospects, customers, contractors, and employees in the driver’s seat, taking power from businesses that collect and use data for monetary gain. However, according to a TrustArc study of 600 US, UK, and other EU companies, only 20% of businesses believed they were GDPR compliant in the same year the digital privacy legislation went into effect.
Consumers shouldn’t have to tolerate another year of companies gathering massive user profiles—and they don’t need to endure it. GDPR is one of the first statutes to recognize privacy as a fundamental human right and set a baseline for all organizations to follow.
An invitation to innovate
If you aren’t yet inspired to get ahead of GDPR, consider this: GDPR can accelerate innovation. In most cases, compliance laws like GDPR aim to protect, preserve, or improve some component of the customer experience but also motivate businesses to enhance existing services. Once business leaders acknowledge compliance laws as jumping-off points instead of staying in a state of fear, they can remain in agreement with the rules while better serving their customers.
For example, say a policymaker changes payment systems requirements to include dates. Instead of completing the bare minimum to meet compliance, the systems could automatically create a calendar while you add dates for clients to view. Your brand will not only meet industry standards but acquire a competitive advantage by using the update as an opportunity to enhance your services for prospects, increasing the marketable value of your products.
GDPR allows customers to choose how their information, assets, or business is handled. Customizable offerings like Regpack's payments platform offer customers the autonomy to decide what is best for them and their business.
New U.S. privacy laws are coming, and companies that already adhere to GDPR will be ahead of the game when these regulations are enacted.
