Image from WoodleyWonderWorks, found on Flickr, source link: https://bit.ly/2LYueop
The May 25, 2018 deadline for the EU General Data Protection Regulation (GDPR) is fast approaching, bringing with it new standards for data security–and the potential for hefty fines. If you’re a multi-national business, you’ve likely been preparing for these regulations since they were announced. But if your market isn’t quite as well defined, or if you’re explicitly not interested in selling to the EU, there may still be benefits to becoming compliant with the GDPR.
What is the GDPR?
Broadly speaking, the GDPR establishes a new standard for the collection and processing of data. When collecting or processing data on people within the EU, companies must prove the validity and necessity of doing so. Note that merely collecting data on people in the EU is the threshold for the regulations–a transaction is not necessary. There are six lawful bases for processing data, the most notable of which is consent.
Acquiring consent to process someone’s data is now opt-in rather than opt-out and requires clear language. Checkboxes can’t come pre-marked, and the consent agreement can’t be hidden within a document. In other words, you must directly ask someone for their data and tell them what it will be used for. They also reserve the right to withdraw that consent at any time. The overall impact is to reduce deceptive practices, increasing transparency in the data processing.
Regardless of how you acquire and process a person’s data, you have to be able to provide it to them free-of-charge if they ask. This means that their data needs to be stored somewhere secure, which is the second main impact of the GDPR.
When it comes to protecting data collected from people in the EU, that onus falls squarely on your business. That also makes it your responsibility to find compliant data processors. Plausible deniability is no longer an acceptable excuse in the event of a breach.
Practically, this involves encrypting stored data, making it functionally useless until accessed by the appropriate parties; it also involves limiting the definition of “appropriate parties.” Furthermore, you will also be responsible for the physical security of such data. This requires proper backups as well as secure storage of any physical object that holds or processes data. Destroyed or stolen hard drives are treated just as seriously as a digital hack.
Where do you fit in?
If this all sounds like a lot, it’s probably because it is. Companies of all sizes have expressed their concerns with the cost of meeting these regulations. A 2017 survey found that a majority expected compliance costs to reach at least $100,000, with 40% saying it would be at least half a million. If your plan doesn’t involve an overseas market, or if your digital commerce strategy is merely complementary to your local physical stores, this cost may not be worth it. The market as a whole, however, may end up forcing your hand.
Bells and whistles, once they become popular enough, can end up as necessary features (link to order management). And data security is becoming increasingly popular among consumers. A recent RSA study found that 54% of people would be less likely to buy from a company that mishandles data while 50% would be more likely to buy from one that takes privacy seriously. It also found that people expect more security and transparency, with nearly two thirds likely to blame the company–rather than the hacker–for a breach. When the GDPR goes into effect, more than half a billion people will suddenly have the most transparent and secure digital commerce experience on the planet. They’ll come to expect the best.
The GDPR knock-on effect
Predicting the future of data privacy and digital commerce, especially regarding regulations that don’t apply to the single biggest economy in the world, is hardly an exact science. Case in point: It’s unclear whether Facebook will enforce the same protections around the world. When the GDPR goes into effect, North American users may find that little has changed for them.
They will notice, however, that it has changed for a whole host of people across the Atlantic. If a GDPR-compliant company then brings those protections to the US, they’ll have a selling point that other companies don’t. For all the value that’s placed into customer experience, this is another feather in that cap. And as soon as people get used to a popular feature, they start to expect it.
The future of data
Whether the GDPR pulls the rest of the world into its regulatory orbit or not, the fact is that data collection and processing has been largely unregulated for a long time. This type of Wild West landscape is unlikely to last much longer, and like the Wild West, it’s unlikely to return once it’s gone. People want their data to be protected; changes are coming in one form or another. Whether or not you have to follow the GDPR, it can give you an idea of the new data landscape. It’s going to look different before too long.
If you’re interested in learning more about how you can implement more data security measures into your digital commerce platform, please contact us. There’s no cost for an initial consultation. If you’d like to know more about the world of digital commerce, subscribe to our newsletter.