Facebook, the king of gathering data on a wide range of users’ interests, has landed itself in the headlines for the past few weeks. First, with the notification that the data from 50 million user profiles was sent to political consultancy Cambridge Analytica, then again when CEO Mark Zuckerberg spoke about how his firm intends to tighten privacy across its platform in the wake of that scandal.
One of the things touched upon as part of that discussion was how Facebook is complying with General Data Protection Regulation (GDPR), the EU law that in essence gives individuals control over how their data is captured and used. The law will start being enforced on May 25. Although the U.S. has no similar law to GDPR, last week in a congressional hearing, Zuckerberg committed to giving U.S.-based users similar protections as EU users will receive. Until then, Facebook had somewhat skirted around the issue of how it would offer the stronger protections to its users that GDPR mandates. Critics are skeptical that Facebook’s new privacy efforts will have any real impact.
Facebook, which has one of the world’s biggest databases of personal data from more than 2 billion active users, is an extreme example of a consumer company struggling to figure out compliance with this complex set of requirements. But in the case of GDPR, company size or whether you’re a B2B or B2C company really doesn’t matter. If you’re a business with customers or users in the EU, you must comply with the GDPR privacy mandate or risk steep fines.
Because GDPR impacts just about every company, there are common issues and themes which B2B technology companies need to consider.
1) The law is about privacy, but it’s also about security. In the U.S. in particular, privacy and security haven’t necessarily gone hand in hand. One has been the domain of IT (or in larger companies, the chief security officer) and the other the domain of lawyers. GDPR changes that; the law includes requirements for the protection of personal data that can only be met through data protection. Security teams needs to understand privacy in a whole new way. GDPR also may cause the birth of a whole new C-level title: Chief Privacy Officer (or Director of Privacy, as mandated in the law).
2) GDPR requires companies—including their marketing teams—to not only know what data they gather and store on individual users, but also give those same users the “right to be forgotten” and port each one’s personal data to other companies. That requires companies to know exactly what data they have for their users and customers in the EU. It’s a difficult chore, but also one that contains a secret silver lining, as it gives companies the opportunity to better know their customers by knowing their data.
3) While the GDPR regulations impact EU citizens, it’s a good opportunity for B2B companies to look at how they collect and treat data on all users, regardless of where they live. In the wake of Cambridge Analytica-type scandals, people are taking a harder look at who has their data and how it’s being used. For many users, deleting accounts—as is happening in the #DeleteFacebook movement—is not enough, as it simply means companies can’t collect any moreinfo on them. Being transparent with users, i.e., showing them what types of data you collect and what you do with it is a huge step in keeping or regaining their trust.
GDPR is destined to protect individuals’ human privacy rights, and compliance will be a complex and lengthy process. Companies that embrace the process and apply GDPR’s principles to all users regardless of location will benefit the company, and its users, in the long run.