Read the phrase ‘Europe’s new data protection laws’, and you may be tempted to skip to another article, asking the question: ‘Why is that relevant to me?’ But the EU’s General Data Protection Regulation (GDPR) will have far-reaching implications globally, not just for businesses “owned and operated” in Europe.
Indirectly, the implications of the GDPR are being felt across the globe, influencing other regulators as they review and revise their own laws. Directly, the new regulation – which comes into force on May 25th 2018 – gives European citizens more control over their data, the right to access, the right to rectify, the right to be forgotten, and the right to data portability. It obliges companies to obtain explicit consent from consumers to collect and process their data for clearly defined purposes, as well as requiring them to implement privacy by design principles, appoint a data protection officer, and report data breaches within 72 hours.
Directly, the new regulation – which comes into force on May 25th 2018 – gives European citizens more control over their data, the right to access, the right to rectify, the right to be forgotten, and the right to data portability.
The GDPR also opens the door to many more ‘stakeholders’ involved in enforcement. It allows EU citizens to group together (in something akin to a class action) and take independent measures, either via the regulators or through the courts.
So why should US-based companies take notice of this ‘European’ regulation, and what can they do to prepare for its enforcement?
The GDPR transcends physical location
The key point about the GDPR is that is applies to any business that “processes” the data of EU citizens, whether the company is physically located in the EU or not. This means any US-based company with even a single customer in the EU will need to assess how they comply. If they process data about EU individuals in the context of selling goods and services or monitoring behavior then they should already have a GDPR project up and running.
With fines of up to 4% of global annual turnover applied to both data controllers and data processors, no business should take the risk of being non-compliant.
Despite a thriving technology sector, Europe’s ad and mar tech scene is still dominated by conformity to the market-driven standards created by US companies. The GDPR is now unpicking the technical and business logic from the US as the assumptions about privacy clash with the European privacy model. With fines of up to 4% of global annual turnover applied to both data controllers and data processors, no business should take the risk of being non-compliant.
A move towards global privacy regulation
The second reason US-based companies should take note of the GDPR is a general global move towards protecting personal information as consumers become more aware of the data held about them and what it is used for.
It is true the current American government is more relaxed about consumer data privacy than the last administration, using the Congressional Review Act to repeal a landmark FCC rule for broadband providers that would have required users to opt into the processing of browsing history and app usage data, rather than relying on implied consent.
But government terms of office are short, and consumer concerns over data privacy are high, so it is only a matter of time before data privacy regulations are back on the national agenda. As an already established framework, the GDPR could easily become the de facto global privacy law used by non-EU countries such as the US. Countries around the world are aligning with the EU because it links the terms of its trade deals to the “adequacy” of a country’s data protection regulation.
Formulating a plan for the GDPR
In preparation for the GDPR, businesses need to look at the way they interact with consumers, providing them with easy-to-understand mechanisms for executing their newly enshrined data rights, particularly in relation to obtaining consent to data processing. An interesting example is Facebook, which has been arranging a series of “design jams” around the world so agencies can explore how they can deliver meaningful choice and transparency. Alongside customer facing initiatives, businesses also need to look at how they might use a full range of privacy enhancing technologies.
The GDPR deals with the collection, processing and storage of personal data that permits the identification of “data subjects” – living human beings – so naturally businesses are looking to anonymization – the process of turning data into a form which does not identify individuals – as it does not fall within the scope of the regulation. But there are two sticking points here.
Firstly, the US and the EU have different definitions of anonymous and personal data.
Firstly, the US and the EU have different definitions of anonymous and personal data. The GDPR brings in new and broadly defined definitions, so data must be treated in compliance with the new laws. The new regulation introduces the concept of pseudonymization, where identifying data is held separately from processed data so that it can’t be linked to a specific data subject without the use of additional information. Using pseudonymization could reduce some of the requirements of the GDPR, but it is still subject to complex regulations.
Secondly, even supposedly anonymous or pseudonymized data can often be de-anonymized through the process of reverse engineering. In a recent example, a German journalist and data scientist were able to determine the identities of high-profile German citizens by accessing apparently anonymized browsing data.
There is an alternative to anonymization and pseudonymization which companies preparing for the GDPR could consider – dynamic de-identification. Dynamic de-identification takes a persistent ID – an identifier that uses deterministic log-in data to provide a single view of the individual across multiple platforms and channels – and transforms it into a non-persistent and event based tokenized ID. Unlike other forms of de-identification, where the identity of the data subject can often be inferred across multiple data sets, a dynamically changing identifier makes individual identification impossible, resulting in innate compliance with privacy legislation.
There is no doubt that, despite being an EU regulation, the GDPR will have a global impact, and US companies will need to be prepared for the changes by adopting new strategies and technologies. They will need to look for long-term solutions for data protection, giving peace of mind to concerned consumers and preparing US businesses for the GDPR and any other privacy regulations that are coming their way.