With business moving at an unprecedented pace, many company leaders fail to slow down and thoroughly review all of the challenges and opportunities, large and small, that could impact their organizations’ future success. There’s barely time to complete daily tasks, much less set aside a few hours (or even minutes) for strategic reflection.
Be that as it may, any business owner or operator should take time to ask himself or herself this question: When it comes to your business, what can you afford to lose before you reach your pain point, that personal threshold that prompts you to take action even when you don’t want to? A few customers? A couple thousand dollars? The company’s reputation? Everything? Nothing?
The question may seem a bit nonsensical, but it’s one that leaders at any organization that gathers and stores the personal data of others should seriously consider. For proof, you need only look to the General Data Protection Regulation (GDPR), the sweeping privacy law approved by the European Parliament in 2016 that began being enforced in May 2018.
Under the GDPR, any company—regardless of its size, what industry it’s in, or where it’s located—that collects or processes personal data (think name, address, phone number, and the like) from any European Union resident must allow that person to see information that pertains to him or her and, under certain circumstances, request to have it erased. Organizations must also provide notice of a personal data breach within 72 hours and ensure that data policies are easy to find and, more important, understand. In cases where sensitive personal information such as medical records, genetic data, and racial or ethnic origin is being gathered, customers must give explicit consent before it can be shared.
Failing to comply with the GDPR comes at a steep price. Organizations that run afoul of the law can be fined up to 4 percent of their annual global revenue or €20 million (euros), whichever is higher. Google felt the sting this past January, when France fined the company $57 million for GDPR violations. This marked the first time a major tech firm has been penalized under the regulation, but others are sure to follow as the EU ratchets up enforcement.
Not to be outdone, California governor Jerry Brown last year signed into law the California Consumer Privacy Act (CCPA) of 2018, legislation that many observers have dubbed “GDPR Lite.” The CCPA, which will take effect in January 2020, gives the state’s 40 million residents the right to view and correct the data that companies collect on them. It also allows them to request that it be deleted and not sold to third parties. Any company—wherever it’s located—that does business in the state and holds data on more than 50,000 California residents is subject to the CCPA, and civil penalties levied per record are $2,500 (unintentional) and $7,500 (intentional). California residents may also take direct civil action against businesses via lawsuits.
The implications of these two data privacy laws can’t be overstated. Currently, the United States lacks an overarching federal law governing the collection and use of personal information; instead, dozens of federal regulations are in place that govern only certain sectors and types of sensitive data, a patchwork approach that creates confusion and leaves countless gaps in protection. Given the increasing prevalence of data breaches, the public’s growing concern with privacy, and the continued escalation of regulatory oversight, it’s only a matter of time before more comprehensive data security laws are enacted. The GDPR and the CCPA provide the framework and precedent for such regulation.
Regardless of the timing of any future legislation, there are a number of things you should consider doing now to prepare for the future and safeguard your business as the landscape shifts:
Assess your risks and exposures. If you have the personal information of others (employees, customers, vendors) or sensitive data that’s important to your organization, you need policies, procedures, and technical defenses in place to protect it. An experienced data security specialist can help you think through your risk exposure, whether it’s for data you currently have or that you might be gathering in the future. It can be as simple as a one-hour conversation to answer some key questions and determine if the laws even apply to your business or as comprehensive as a full audit that includes penetration testing, vulnerability scans, and other risk assessment measurements.
Adjust your mind-set. In the United States, most companies that collect data view it as their property, a commodity that can be used for marketing, sold to third parties, or utilized in a variety of other ways. The GDPR and the CCPA run counter to this “traditional” mode of thinking by recognizing data as the property of the individual. Aligning your business practices with this mind-set and positioning your company as a steward of the information rather than its owner can foster a new level of employee, customer, and vendor trust.
Be proactive. The GDPR and the CCPA are the tip of the proverbial iceberg when it comes to broad-based data privacy laws. More legislation is on the horizon, and businesses will eventually have no choice but to comply. The majority of companies will no doubt wait until that time to incur the cost; however, forward-thinking organizations that invest the resources now in anticipation of these regulations will already be compliant when laws are enacted and others scramble to adapt. This, in turn, will provide these proactive companies with an advantage they can leverage to build loyalty and distance themselves from the competition.
Change is rarely easy, but as Sam Cooke conveyed in song, it’s “gonna come.” By shifting gears now and taking steps to prepare for inevitable modifications to data privacy laws, you’re investing in the future success of your business. That’s a proposition that should prove appealing to even the most time-strapped individuals.
Ira Bedenbaugh is a principal in the Healthcare Consulting practice of Elliott Davis. He can be reached at firstname.lastname@example.org.