We’re a few months into the GDPR – the General Data Protection Regulation – but questions remain about how effective the policy is as a global data privacy strategy.
Introduced to protect European clients’ data, the GDPR is technically a global policy. If European users want to access a website, it needs to be GDPR compliant; conversely, companies can’t do business with European companies and clients if they don’t opt into the EU guidelines ? even if their company is located outside the EU. In other words, what started as a security strategy may be walling off the international community the internet created in the first place.
Case Study: US News Sites
One key sector in which we can see the GDPR creating barriers is around news websites. As of early August 2018, one-third of US news sites were still non-compliant, meaning that they’ve opted to bounce EU users rather than make security changes. This includes relatively significant news sources like the New York Daily News, the Los Angeles Times, and the Baltimore Sun. Overall, news properties owned by tronc, Berkshire Hathaway, and the New Media Investment Group ? all companies with the resources necessary to update their site privacy ? have failed to make the update.
Does it really matter whether EU web users can access American newspapers? Some might argue it’s a minor issue and that newspaper sites weren’t the target of the GDPR. On the other hand, the changes are not actually that onerous. These sites would need to protect customer information, review their mailing lists, and establish a detailed privacy policy. These changes are just good practice and, more importantly, failure to comply makes for a less informed global populace.
Commercial Implications
Though newspapers may not have been at the top of the list when EU leaders were developing the GDPR, the policy has the ability to make or break other companies. The LA Times isn’t going to fail because they’re bouncing EU readers. On the other hand, IBM recently failed a simple data consent requirement. It was likely a programming oversight ? the page included the correct consent boxes, but required data concession ? but mistakes like that can be costly.
Under the GDPR guidelines, failure to comply with the policy, regardless of where the company is based, comes with enormous fines, estimated as the greater of ?10 million or 2% of global annual turnover or even the greater of ?20 million or 4% of global annual turnover. Fines like that can push an otherwise successful company to the margins.
Many other companies, recognizing these risks, have taken much more aggressive steps to remain GDPR compliant. Salesforce, for example, has built stronger data access controls into the software with layers of permission to protect and divide customer information. Historically, Salesforce had broad allowances for data sharing across companies, but the brand quickly recognized that, under GDPR, it needed to rethink its design strategy.
Data sharing and global connectivity are the lifeblood of business, so it’s not surprising that companies have had strong responses to GDPR. Like newspapers, advertisers have been resistant to new regulations ? they don’t like walls on their data or their communications. Advertisers thrive on unfettered access to data.
The GDPR will force all businesses and websites on a global scale to rethink how they handle data and communications practices, but companies should resist walling themselves off. Getting it wrong can be risky, but isolation in its many forms is a much bigger threat to businesses and their clients alike.