When the European Union first passed the GDPR in 2016, the issue of data privacy was not at the top of most companies’ priority lists. The Data Protection Directive 95/46/EC had been in place for more than a decade, but gained little attention due to limited scope and loose enforcement. Today one can hardly scroll through a news feed without encountering a story about companies being challenged — either by legislators or by their own customers — on the way they handle personal data. Organizations that may not have given data privacy a second thought two years ago are now devoting time, personnel, and resources to the task of getting a handle on their data practices. In light of such a dramatic shift, this is a good time to take a step back and look at where data privacy stands today … and where it’s going.
How We Got Here: Milestones
In 2018 alone, we’ve seen three major milestones that testify to the depth and breadth of concerns over data privacy.
Milestone #1: Enforcement of GDPR
With GDPR, the EU created the most extensive data privacy law to date — and more importantly, provided the “teeth” needed to back it up in the form of substantial fines. Now that GDPR is in force, it is being held up as the “gold standard” for data privacy legislation around the world.
Milestone #2: Cambridge Analytica Scandal and Facebook Congressional Hearings
For consumers around the world, the Facebook/Cambridge Analytica scandal and the ensuing Congressional hearings were a wake-up call highlighting just how vulnerable online personal data can be. The public outcry was vociferous, with many demanding a GDPR-like federal law be passed in the United States.
Milestone #3: CCPA
Just one month after the GDPR enforcement date and two months after the Facebook hearings, the state of California passed the California Consumer Privacy Act (CCPA), granting residents a series of rights concerning their personal data and requiring businesses to comply with the exercise of those rights. The CCPA includes a private right of action clause in the case of violations resulting in unauthorized access to their personal data (data breaches).
What’s On the Horizon
In several states, in the U.S. Congress, and in legislatures around the world, new data privacy bills are emerging to expand the landscape of regulatory requirements. Colorado, South Carolina, and Vermont have passed new data privacy and security laws, and New York is considering expanding its current data security legislation. At the federal level, lawmakers are considering the Social Media Privacy Protection and Consumer Rights Act of 2018, the BROWSER Act, and the Do Not Track Kids Act of 2018. On a global scale, Brazil has passed its own GDPR-like law, and India and Argentina are drafting personal data protection bills.
Around the world, data privacy laws are growing not only in number, but also in the stringency of their requirements for transparency and disclosure. Businesses are being called upon to pull back the curtain on their data practices and inform users on what information is being collected, how it’s being used, and who (internally and externally) has access to it.
Before they can inform users, organizations must first inform themselves. Black-box databases and data processes that exist solely “because that’s what we’ve always done” have no place in today’s regulatory environment. It’s only a matter of time before the majority of companies are impacted by one or more data privacy regulations, and one thing these laws all have in common is a prerequisite of knowing what data you have, how you process it, where and how you store it, and where it goes.
Evolving Consumer Expectations
In addition to avoiding fines and penalties from regulatory agencies, companies must also be mindful of escalating consumer concerns over the use of personal data.
While governmental bodies may be limited in the number of violations they can realistically process in a timely manner, the court of public opinion, fueled by social media, moves at the speed of light — 24 hours a day, seven days a week. In an environment where a single tweet from an unhappy customer can impact a company’s global reputation, sloppy or illicit data practices can have repercussions that extend far beyond regulatory fines.
Where to Go From Here
As new data privacy bills appear in legislatures across the United States and around the world, it’s clear that GDPR was not a one-off occurrence. Consumers are demanding greater transparency and responsibility in the way businesses handle their personal data. Whether those demands result in actual legislation or not (or more accurately, not yet), companies can no longer afford to ignore them.
So, where do businesses go from here? Even if you’re not covered by GDPR or CCPA, this is the time to get a handle on your data — to find out where it is, how you’re using it, where it goes (internally and externally), and what happens to it when you no longer need it. By doing so, you can position yourself not only to align with future data privacy laws that may affect you, but also to build trust with your customers.
Questions about data privacy? Give us a call.
Follow Jill Reber at @PrimitiveCEO and Kevin Moos at @KevinMoos on Twitter.
