The EU is now the world leader in data protection with the introduction of new regulations replacing outdated data protection directives from 1995 and 2016. Most PR agencies and practitioners have gotten or are getting their houses in order to accommodate changes like this one in the digital market space. Notice the myriad of emails about updated privacy policies in your email recently?
The one to which I refer came into effect on Friday, May 25. It is the General Data Protection Regulation (GDPR).
The intent is to provide protections for European citizens’ private information. Hence, anything that identifies an EU citizen privately, they want to have it protected and it also provides for portability of said information, meaning it regulates the exportation of citizen’s data.
As communicators, whether you are in the private or public sector, it is best to have a working knowledge of this change. After all, it is our job to stay on top of the regulations, it is called being responsible. Ignorance is inadmissible in this regard. The GDPR is the reason why if you are asking for information in a piece of content, such as an ad, your content must be appropriate and or allowed for that channel. You may break the rules without knowing if you don’t familiarize yourself with the rules of data collection under the GDPR.
You may be thinking that because you are not in Europe, it doesn’t apply to you, don’t. You may have or gain clients in that area and become vulnerable. Hence, it is best to behave as if you are in that market and can be exposed to a complaint from a citizen therein. Communication in PR and marketing is about trust, and that trust extends to data protection, so do your best to ensure your company doesn’t betray this trust because of ignorance.
Multinationals need to care obviously because they will have the private information of EU citizens, these companies must be cognizant of the fact that their geographical location is immaterial as citizens of these countries can file class action law suits against them if their private information is mishandled. Consider this simple example: I am a retailer in Florida, and through my business I’m collecting data from my customers, if the data becomes compromised, and an EU citizen’s data is among the compromised information, that person or group of persons can take action against me under the GDPR.
GDPR will change the game in far reaching ways. Some of the things it requires if there is a data breach are as follows:
the company must notify the affected countries (their representatives) within 3 days of such breach;
Companies have to immediately provide details of the data breach in terms of which citizens’ data was impacted;
The regulation requires that companies make the data of their citizens portable, meaning, the citizen can be asked to ‘be forgotten’ or to move it to another company.
In relation to the first two points, typically it takes a couple of weeks to get to the bottom of data breaches. This means cyber security companies must find ways to speed up their investigative processes to stay relevant in the wake of GDPR. If a company must report to an EU country within 3 days, their processes must be able to accumulate great detail about a breach in 48 hours. So security systems will have to be set up to be far more robust. But detecting the breach is one thing, revealing it is another. Recall Yahoo’s data breach in 2014 when more than 500 million accounts were compromised? Yahoo only disclosed this information 2 years later. Under the GDPR, this cannot happen, and if it does, there will be hell to pay. Yahoo will be $35 million poorer for their error in judgement.
Let’s face it, breaches will happen. GDPR is now just forcing companies to be far more vigilant.