Over the past few years, data security has become a hot button issue in the business community. From financial institutions (Ex: Wells Fargo) to brick and mortar retail stores (Ex: Target), numerous recognizable businesses have experienced online security breaches leading to compromised customer information. This growing trend of security concerns of customer data has resulted in new government regulation in hopes of curtailing data impropriety.
Most notable of the recent data protection regulations is the European Union’s General Data Protection Regulation (“GDPR”). Effective May 25, 2018, the GDPR is the EU’s attempt to curtail data breaches and misuse of customer data, particularly when it comes to information collected from European citizens by businesses. But the GDPR’s effects are positively global—any business with ties to the European Union’s citizens are impacted by the new regulation. Businesses that offer their goods and services to the EU are required to comply if they wish to have their products in the EU marketplace. Also subject to the GDPR are businesses with a website or e-mail list accessible by European Union members. Failure to abide by the GDPR’s rules can result in heavy fines imposed by the enforcement mechanisms of the GDPR. Maximum fines can reach four percent of global revenue.
The regulation itself has a relatively simple concept - protect data you have collected and ask for permission to collect more. Businesses that want to send a commercial message to a European citizen’s e-mail address must have received consent beforehand via an “opt-in” procedure. In other words, citizens must also affirmatively approve the company to process (i.e., store) personal information. The business must also provide channels for a citizen to request the deletion of their personal information. Further, the engaging business is responsible for safely processing and storing any personal information they acquire from customers or recipients of marketing materials. If any breach of customer data occurs, including names, location, identity, online identifiers, etc., the business must report the data breach within 72 hours.
The resulting issue is this: because American companies have long operated without concern over who receives their online marketing materials, most businesses are likely to have little or no idea about who they are sending e-mails or who is shopping on their websites. Many small businesses traditionally had no need to retain records of who is on the receiving end of their promotional campaigns. Outside of honoring “opt-out” requests, there was no reason to track such information. Now, with the GDPR’s passage, businesses need to pay closer attention. And, according to a recent survey, strikingly few US businesses are aware of the GDPR’s details and ramifications—91% of surveyed businesses felt they were unfamiliar with the new regulation.
Generally, the GDPR will not impact every business, especially those that operate exclusively offline. However, data security will continue to grow as a vital business concern. Record keeping of mailing lists or ordered products online is becoming commonplace. While this helps develop a customer base, it also creates exposure to security concerns. Regulation designed to limit these concerns will only increase as the flow of consumer information grows. Businesses should prepare to face additional regulation going forward.
If the GDPR does stand to affect your business today, the most obvious solution for many may simply be to remove any e-mail addresses tied to the European Union from e-mail lists and their servers. Many companies currently store customer information after a purchase, whether to solicit them for future business or as standard record-keeping practice. The audit and removal of this information may be the most cost efficient method toward avoiding the ire of GDPR regulators. Regardless of how your business handles online marketing or sales, if the company conducts sales or markets overseas, be sure that your IT service provider is accurately and securely storing any customer information your business keeps. Further, businesses should establish procedures to handle potential security breaches before they happen. If a breach does occur, swift action is required—a preapproved plan of action will make cleanup much easier to deal with.
Each business is different, as is its optimal response to the GDPR. For more information about the GDPR and its applicability to individual businesses, please contact a member of the Business Team at the Law Firm of Conway, Olejniczak & Jerry, S.C.