Twenty two months.
That's how long businesses have to ensure their privacy, security and information governance strategies are compliant with the requirements set forth by the European Union General Data Protection Regulation (GDPR).
While the May 2018 deadline may feel far off, organizations should not waste any time rethinking their strategies. With potential fines of up to 4 percent of annual global revenue, GDPR affects all companies with a specific European presence, as well as any company with a website offering goods or services to citizens of the EU and cloud services developed by US-based companies.
As long as the goods or services are available to EU-based individuals, the company does not need to be established in the EU.
Under the GDPR, companies must provide customers with clear notice of the purpose of data collection and consent must be freely given, specific, informed, and unambiguous. This is an incredibly important requirement for organizations to understand.
A Privacy Notice People Can Understand
Privacy policies have, in a sense, made us a nation of liars.
In today’s business environment, privacy notices have become complex, multi-page documents written to satisfy corporate legal obligations — authored by attorneys and intelligible to almost no one.
Under the EU GDPR, companies must make these polices clear and concise.
Privacy notices should provide comprehendible and effective communication of complex and important information to people with a basic education. Successful presentation of this information can help promote consumer understanding and save organizations time and money.
The clearer you are up front with your privacy notice, the fewer problems you may face down the road. You will be able to streamline and standardize your own internal training programs, policies and procedures based on a clear understanding of these notices. And you will be in a better position to promote a trusting relationship between your organization and customers, as well as with Data Protection Agencies and Regulators.
“Opt in” allows customers to choose whether or not they allow information sharing. “Opt out” starts with the presumption that consumers have chosen to share their information, and puts the onus on the consumer to refuse sharing information about themselves — the consumer must act to change that selection.
In the opt-out scenario, the default setting allows the business access to all information unless the consumer directly informs the business they don’t want to.
These distinctions are interesting in light of a recent study by the Columbia Business School. The study “Defaults, Framing and Privacy: Why Opting In-Opting Out” looked into the habits of consumers in completing online purchases, surveys, polls and questionnaires. It examined the difference in consumer behavior if information was already selected for them in an online checklist, versus the consumer having to choose on their own.
The study concluded that consumers were far more likely to accept pre-selected answers and rarely did anything to change them. It showed that even when the consequence of accepting the pre-selected choice led to purchases amounting to hundreds of dollars, respondents were likely to do nothing to make a change.
Sadly, this trend among the majority of consumers is one that many organizations know and drove their decision to prefer the opt-out privacy method.
Under GDPR opt-out will no longer be acceptable. Under GDPR, no means no.
Being Held Accountable for Data
The new requirements for clear and unambiguous opt-in and consent will very directly impact how companies collect information, record the purpose of data collection, and then store, use or share that information.
For example, if a company collects customer data to provide technical support, it must clearly state the reason for collecting the data, and the customer must proactively opt in to allow this. Once the company receives the data, it can only use the data for the purpose of technical support, unless it has obtained specific and explicit permission from the customer to use their information for other purposes.
This means that data stored in company's systems will need to be clearly marked so that it is not inadvertently combined with other data for a different purpose.
Organizations that undergo a merger or acquisition after collecting data will also be impacted, as will organizations that regularly share customer data with external parties – particularly if the information sharing is unrelated to the original data collection purpose. The opt-in requirement mandates that many organizations create layered consent mechanisms where they can specifically demonstrate that an individual has chosen to have data shared with third parties or to use the data for a separate purpose.
As many organizations collect data (and obtain consent) through their websites or internet portals, this will require a major revamping of current consent mechanisms and opt-in/opt-out practices. This will — of — also apply to in person or non-web based consent forms as well.
The Regulations Might Feel Familiar
The obligations under the GDPR mandate an overarching system across all information gateways that allows organizations to implement a risk-based approach to data protection — with particular focus on potential harm to individuals.
But, at its most fundamental level, the GDPR asks organizations to be accountable for the data that they collect from customers. Practice transparency about why you want to collect data, give customers a true choice about whether or not to provide it, and follow through by ensuring that the data is only used for the exact purpose and within the boundaries of consent.
While they may sound onerous, these regulations align with the general rules of society around information sharing and personal privacy, which most of us learned on the playground, in the classroom and at home. The GDPR is just putting them into law.