Over the last decade, the trifecta of poor security controls, poor user-behavior controls (ie: can you bring a USB drive to work and plug it into a cash register?), and criminals crossed paths to produce repeated data breaches. You’ve heard of the big ones like Sony, Home Depot, Target, and Equifax. Naturally, there are many more. We rarely hear about the ones at small local businesses.
While the Feds have done little to require businesses to strengthen data privacy & security, some companies have voluntarily raised their security efforts. Many didn’t. It’s a broad global issue. Outside the US, you never give your credit/debit card to a clerk, waiter, or bartender. They bring the card machine to you. You insert the card, ok the amount & pocket the card, then hand the machine back to the clerk. US cardholders control the card like this only at big box retail & grocery stores. This process reduces the possibility of people stealing card info because employees never get possession of the card.
The other shoe drops
Two years ago, the European Union decided they’d waited long enough for companies to use consumer data carefully & properly protect it. They created the GDPR – or “General Data Protection Regulation“.
The GDPR gives control of a consumer’s personal data back to them, requires clear privacy policies, and sets rules for how opt-ins are offered / used. But that’s not all.
It also has a few other items of interest:
- Ever been frustrated that a company has as data breach and doesn’t report it for months or even years? GDPR requires providing the EU authorities within 72 hours of determining that a breach occurred (there are more details about what breaches require this, but I’ll leave that investigation to you).
First, I don’t recommend reading the GDPR reg on the EU website unless you’re an attorney. Maybe not even then. There are plenty of good, detailed explanations about what it means to companies based in the EU, companies with offices in the EU, and companies that do business with EU residents.
That last part is why US companies have to pay attention.
Why does a US business care about GDPR?
First off, this is not legal advice and I am certainly not an attorney, nor do I play one on TV. You need to discuss this stuff with your legal counsel, mostly because getting caught playing this game wrong can get really expensive.
You may think this doesn’t matter because it’s an EU regulation. You might be right, particularly if you only serve local customers. However, if you have an online business that serves customers in the EU, a closer look is merited.
This isn’t solely an EU problem. This change had to start somewhere and most of it is necessary. I suggest that you look at GDPR with your team. There are numerous “GDPR for Americans” explainer pages to help you decipher it.
For example: There are exemptions (perhaps not the right word) for data collected when the EU person is not in the EU, or when you don’t advertise in the EU, target EU prospects in your ads, or have EU languages / currencies as part of your website.
Even if exempt, we need to look forward
Companies need to take more responsibility for protecting they data they collect than they have previously done. Likewise, they will eventually need to give consumers better access/control of the data collected about them. Failing that, it will be forced upon them.
Why? Because Congress will eventually be forced to implement something & they have routinely shown a lack of ability / desire to understand how US businesses use technology.
Imagine how “the Patriot Act for business” and “TSA for data” might look like if written in a fear-based mindset after a “bad actor” gets an IRS database. If history teaches us anything, it’s that they’ll overreact.
Another angle: Companies that are ahead of the curve are going to be more attractive to consumers and prospective buyers.
The GDPR is enforceable as of May 25, 2018.