A Guide to Data Privacy in the Era of GDPR, Part I

In 2018, the European Union enacted a regulation on the protection of personal data, and the free movement of such data, entitled the General Data Protection Regulation, or GDPR. It stands out as the most comprehensive and optimistic attempt to protect consumer data in the digital age. It establishes strict rules for data processing, details citizen’s rights regarding their data, and envisages a penalty structure for companies that act carelessly or in bad faith. Most importantly, this law started a conversation on data privacy that resonates globally, and which has already spawned the first American privacy bill, The California Consumer Privacy Act, or CCPA.

If you work with consumer data, there’s a good chance you’re already familiar with common privacy regulations, security best practices, and the potentially catastrophic consequences of a breach. The GDPR and CCPA raise the stakes, and are likely the first wave of an oncoming tide of similar laws. And while European companies have already largely reconfigured their practices to comply with the GDPR, many American companies haven’t. Multinationals are already playing by the new rules, but smaller companies – companies with only local ties and no contact with Europe – have yet to begin. For them, it’s the January 2020 enactment of the CCPA that turns this from a distant concern to an immediate need. Your company may not market widgets in the EU, but there’s a good chance that you’ve got data on at least one Californian widget buyer. That means the CCPA applies to you.

“But wait,” you say, “I run a little mom-and-pop operation in Des Moines, Iowa, and my website only gets 1,000 visitors a year, and I’m really not known outside my county. Surely none of this applies to me.”  It’s true that if you aren’t currently holding data on citizens covered by the laws, then you really don’t have anything new to comply with. But that doesn’t mean you can’t, and certainly doesn’t mean you shouldn’t. These two regulations are the first falling pebbles of a landslide of consumer protections that will eventually reach into every business in America – including those little shops in Des Moines. Consumers want to be protected, and business should want to protect them.

There is already a lot to unpack with GDPR and CCPA. They represent a formidable amount of work, like auditing and analyzing business practices, developing and testing systems and security controls, deploying new web sites and phone numbers, and establishing new ways of doing business. The timer is already running, accompanied by whispers of more new laws on the horizon. Companies need to start working today, and need to internalize what these laws represent, so that this workload doesn’t become a barrier to survival. It’s time to act.

That brings us to a critical question: where do we begin?

Stay tuned for part two of this blog, and an upcoming SIGMA Insight on the subject.