Why GDPR matters to your U.S. business.
Why GDPR matters to your U.S. business.
In this age of consumers demanding more privacy regarding the use and sharing of their personal information, recent laws and changes in data compliance have created a global effect and hyper-awareness of data privacy for all consumers and businesses are paying attention. In May of 2018 the European Union enacted the Global Data Protection Regulation (GDPR) which essentially created a new global standard for how personal information is collected, stored and shared.
The state of California has also recently passed a consumer privacy law called the California Consumer Privacy Act which grants California residents new rights regarding their personal information. The law allows CA residents to be informed about what kinds of personal data companies have collected on them and why it was collected. For both laws, consumers have the right to request deletion of their personal information, opt out of the sale of their personal information, and have access what personal data has been collected on them.
Big tech companies have been a source of many recent news stories about users’ data being compromised. Data breaches can happen for a variety of reasons, companies can get hacked, holes in a website’s security system can leave information unprotected or in the recent high profile case of Facebook and Cambridge Analytica, data can be mishandled or sold to third parties, and that, the mishandling and selling of users’ personal information is at the very cusp of why these new data privacy laws now exist and why more states are considering implementing consumer privacy laws.
Personal data and the smartphone
So what is considered personal data? Personal data is defined as any information which is related to an identified or identifiable natural person and can include but not limited to names, identification numbers, call detail records, phone numbers, email addresses, IP addresses, geo data tracking, location data and other factors.
With our smartphones becoming the central hub of our lives, an integral part of both personal and work, our smartphones now control how we interface with the world around us, how we work, plan, organize, schedule, research, shop, navigate, and socialize. Our smartphones and the actions we perform on them hold tons of data about us, where we go, our behavior patterns and preferences, our interests and so much more. Consumer advocacy groups all across the world are gaining steam and have filed numerous complaints to the FTC and EU against tech giants regarding consumer data privacy issues like data manipulation and user tracking.
It is our opinion that the data contained on wireless carrier bills constitutes personal data and must be protected as well. That is why OVATION has implemented our new “Magellan” reporting platform that is completely GDPR and CCPA compliant. We do not sell or share data in any way.
Since the GDPR has been in effect over the last year, there have been 59,000 data privacy breaches reported to the GDPR Supervisory Authorities. One of the first breaches was an unnamed German social media platform that compromised data of 330,000 users including their passwords and email addresses. The German social media platform notified German officials and their users and because the company notified users of the breach they were somewhat awarded for good behavior and only fined $22,812, a relatively low amount. Fines for GDPR infractions could result in 4% of an organization’s total worldwide annual revenue or $24 million dollars, whichever is greater. Most notably a large fine was just handed to Google executives in the amount of $57 million from France for failing to obtain valid consent to obtain and process users’ data and for having very vague consent agreements overall.
What’s the big deal to US companies?
So if your business is not in California and your business does not interface with citizens of the European Union what is the big deal? The GDPR not only applies to organizations located within the EU but also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Customer data plays a critical role in our world, today more than ever. To survive in this world under these new regulations, companies must demonstrate how their data subjects have consented to the processing of their personal data. Marketing databases have to be cleansed and reviewed to ensure that the organization can identify consent which has been granted lawfully and fairly.
Although GDPR only affects citizens living in or visiting the European Union, there have been recent discussions and interest from consumer groups for the United States to adopt similar GDPR privacy laws. In fact, on the very first anniversary of GDPR, in the news recently, Microsoft has called for regulation at the federal level, not just state level, and for congress to adopt a framework of new privacy protection regulations that allow full transparency and the right to privacy for all consumers. Microsoft has also introduced new tools and a privacy dashboard for consumers in the wake of GDPR. Apple CEO Tim Cook has also called for a US federal privacy law that would offer similar protections to GDPR.
It is recommended that companies that operate internationally and also here in the US ensure all of their global audience is GDPR compliant to meet stringent data regulations now and in the future. If you are concerned about your company’s wireless reporting in the wake of GDPR, contact OVATION for a no obligation discussion.