If you follow the breathless coverage of the recent stock market swings, you might imagine that CEOs are glued to their TV sets and refreshing stock tickers by the second. But strategic leaders understand how to separate the signal from the noise, and corporate executives I talk to are far more interested in the macro trends that will impact the global economy—and their companies—throughout 2018 and beyond.
One of these major, game-changing trends will hit the business world on May 25, 2018, when the European Union (EU) will begin enforcing the General Data Protection Regulation (GDPR), a comprehensive and aggressive approach to the increasingly complex challenge of protecting consumer information.
GDPR will codify data protection rules for all companies that collect data from EU citizens while greatly expanding individuals’ control over how and when their personal data is collected and used. And while the regulation is EU-based, it has global reach and implications. If even a single EU citizen visits the website of a company based anywhere in the world and data is collected on that individual, that company must comply with GDPR or risk severe penalization.
But it would be a mistake to think that the impact of these regulations will be limited to the tech titans. Gone are the days when one blanket opt-in can bind all users to broad data collection. Under the new rules, these companies will need to be much more specific about how they will use data and get permission for these specific uses.
But it would be a mistake to think that the impact of GDPR is limited to the tech titans. In the U.S. especially, where many companies are built on their ability to capture, sell, or leverage data to target individuals, the new regulations—which grant individuals the right to have their information deleted from databases under various circumstances—will force businesses of all sizes and kinds to dramatically rethink their data practices.
Companies that don’t comply face potential penalties of up to 4% of their annual global revenue or €20 million, whichever is higher. And with member nations ramping up their enforcement capabilities as we speak (the United Kingdom alone is hiring 200 enforcement staff), it is becoming clear that all companies, not just the industry giants, could be targeted.
Facing a new regulatory minefield, U.S.-based companies have a narrow window of time to assess their capabilities and vulnerabilities and address areas of concern. In the short time until GDPR implementation and enforcement begins, companies should pay particular attention to the four key components of the new regulation:
U.S. state and federal laws have long required reporting of many types of data breaches, so this is not entirely new. But GDPR expands the definition of a breach, and mandates that authorities be notified within 72 hours—and if the controller determines that the breach “is likely to result in a high risk to rights and freedoms of individuals,” then affected individuals must be notified “without undue delay.” Companies will need to create an expectation among their cybersecurity teams to identify and report incidents much more quickly.
Getting individuals to check one box agreeing to a thousand words of terms and conditions is no longer acceptable by EU standards. The terms must now be written clearly, consent for each term must be gained separately, and consent must be renewed regularly. Records of consent must be auditable. Companies will no longer be able to rely on the fine print and must have privacy policies that are clear and consumer-friendly.
Access and correction
EU citizens will now have the right to know what information a company has gathered on them. The information must be produced electronically, and wrong or incomplete information must be corrected on request. This will require a new level of record-keeping and will make it harder for bad actors to hide consumer-unfriendly data usage.
The “right to be forgotten” made headlines in the U.S. in 2014 when a citizen of Spain won a judgment that Google had to take down personal information about him. GDPR extends this right much further, requiring companies to delete even non-publicly shared data under a variety of circumstances. If the user asks to be forgotten and then a month later gets an email solicitation from that company, they can file a complaint. Following this regulation will be one of the most challenging aspects of GDPR.
Every company needs a plan that maps its data processes and data handling procedures, identifies gaps and actions needed to close those gaps, and prioritizes these actions based on risk. It is also critically important to have clear procedures in place so that if and when a vulnerability is determined, the company is prepared to communicate effectively to lawyers and government officials, as well as customers, employees, investors, and other stakeholders. Compliance officers should keep a very close eye on early enforcement efforts, as they will provide critical insight into how to allocate compliance resources going forward.
At the same time, there is no one silver bullet for becoming a GDPR-compliant organization. Because there is no history to study, all companies must start from square one. The key to success will be adopting the mentality that privacy—like user-friendliness and quality customer service—is a fundamental expectation to be integrated at every level of operations.
With just a few months to go before GDPR takes effect, perhaps the greatest fear is of the unknown. We know that GDPR will cause a fundamental shift in the way companies collect, manage, and utilize the customer data they collect. Yet many companies are waiting for the first shoe to drop in order to react. That’s a mistake. Now is the time to be proactive—for the good of the customer and the business.
Peter Zaffino is the CEO of general insurance and global chief operating officer for AIG.