A Blog About Current Issues in White Collar Defense
Customer Data Collection: GDPR Changes Everything.
Beginning on May 25, 2018, companies which process the personal data of European Union residents will be expected to comply with the General Data Protection Regulation, or GDPR.
Even companies located in the United States are subject to this regulation, and violating its terms may result in class actions and hefty fines. If your company collects, stores or mines the data of residents of the European Union, you may need to dramatically change the way you do business.
General Data Protection Regulation (GDPR) takes business attitudes about customer data collection and turns them on their heads. Today, customer data is viewed as an asset to be avidly collected, mined and used for business and marketing purposes. After GDPR, you will need to view the data from EU citizens in an entirely different way: it belongs to the customer, not you, and you cannot hold it or repurpose for your own ends.
Instead of possessing valuable data, you are now merely the temporary steward of information that does not belong to you. How you are entrusted with this valuable information will be closely scrutinized. In fact, you will have to prove at every step of the way that if you hold customer data, you are holding it for reasons that are necessary and benefit the customer. At every turn, you will need to inform the customer what you are doing with their data, and why. The penalties for non-compliance are steep.
Sounds simple, but it is not. Companies have built marketing, customer service and technology around the “collect and mine customer data” mindset. These systems are pervasive throughout corporations. Now companies will need to reverse engineer existing data mining processes to comply with GDPR as it relates to any EU customers.
Data of customers outside of the EU can continue to be treated as they are today. This dual treatment of customer data depending upon citizenship will be complex to implement, and areas of potential GDPR violation will be insidious and perhaps hidden in unexpected places.
To operate your business within the framework of the GDPR, you may need to change the way you view, and the way you value, personal data. It is no longer a gold rush for data mining (and capitalizing on that data). Personal data under the GDPR is the property of individual, and businesses will need to respect that ownership. Instead of striving to capture as much data as possible, you will need to strive to respect individual’s data rights as much as possible…or else pay a steep price. Companies found to violate GDPR may be subject to fines equaling 4% of annual turnover or 20 million Euros, whichever is higher.
In order to prepare for this drastic change in approach to the collection, storage and utilization of personal data, you will need to examine your policies covering privacy, data protection, customer notice and consent. You may need to hire a new Privacy officer. Ifrah Law can help by reviewing your current business practices, identifying where you may be in violation, and advising on setting up new protocols.
For more information on how to get ready for GDPR, contact Ifrah Law.