Companies have a lot more to lose than just data
hen people think about the term “privacy,” they often focus on data breaches. After all, that’s what makes the headlines, but there is so much more to getting privacy right—and wrong— than the simple loss of data. For example, we’re talking about the use of data without consent, creeping people out with behavioral targeting and other customized services, the misuse of data by vendors without permission (as Facebook learned with Cambridge Analytica), and seemingly something
new to add to the list with each technical innovation. Now, the stakes are rising with the European Union’s looming General Data Protection Regulation (GDPR). Standing at more than 100 pages in length and the product of more than five years of legislative deliberations, it will redefine the way that privacy is managed across the globe. In the United States, we have largely focused on determining what is “deceptive” or “unfair.” Essentially, if your privacy notice tells people what you’re doing, you’re largely in the clear. Beware, web browsers, beware.
The GDPR introduces and codifies new rights for individuals over their personal data that’s collected and used by organizations. This regulation protects the personal data of all natural persons in the European Union (EU)—even non-citizens who happen to be within the territory of the EU when their data is collected. Further, its jurisdictional reach is such that any organization that is marketing to EU citizens, or processing the data of EU citizens, falls under its scope, regardless of where in the world that organization is located. With a potential penalty of 20 million euros or four percent of annual
DOCUMENT Strategy Spring 2018