GDPR is a Good Idea For US Companies, Even if it is Not Law

Being originally from Europe and now operating a SaaS data collection company in the US, I have a unique vantage point on data privacy, both from the point of view of businesses’ legitimate interest in data collection, and Europe’s history for stronger consumer privacy protections.

In the US, the prevailing attitude toward data protection has been one of wait-and-see. Most legislators favor industry self-regulation and companies don’t seem interested in adopting new practices until there is a law requiring them to do so.

Many companies’ privacy policies are intentionally very vague about what they do with their users’ information. This is born from a desire to not overly restrict what could be done with the data in the future, and often also out of fear of potentially misrepresenting poorly understood data collection processes.

This has allowed organizations to share and market user data pretty much however they want. It also lead to Facebook’s CEO testifying before Congress regarding the data of 87 million users being passed to Cambridge Analytica.

On the dawn of GDPR, and with the spotlight on major data breaches, perhaps the US is ready to take another run at data privacy regulation. We’re at a tipping point where one more privacy scandal could push data privacy into an election-year issue and give momentum to Consumer Privacy Bill of Rights initiatives in Congress.

But I’m in the US, why should I care about GDPR?
Even if the US doesn’t pass legislation protecting consumer data, many companies will still need to ensure GDPR compliance to continue to interact with European users. If you are based in the US, but collecting and processing Personal Data of European Union (EU) citizens, then the GDPR may apply to you.

It can get a little confusing, as merely having a website or a web form accessible from the EU doesn’t necessarily mean GDPR applies to you. However, offering services aimed at European users, or if a large number of your users are from are from the EU, means GDPR will apply to you. 

Under the GDPR users have:

  • The Right to Transparent Information 
  • The Right to Request Access, Rectification or Erasure of Data
  • The Right to Withdraw Consent or Object to Processing
  • The Right to Lodge a Complaint to a Supervisory Authority, which can result in fines.

The best thing US companies can do is to adopt a “Privacy by Design” stance when it comes to their users’ data. This gives user data the proper respect it deserves, and also allows them to operate within GDPR, with the expectation that U.S. regulations will eventually catch-up. 

Privacy by Design means that the privacy and protection of personal data is embedded in the design of the data collection process, that it is the default setting, that it minimize the amount of data collected and who it’s shared with, and that it is done in full transparency.

The principles of “Privacy by Design” are pretty straightforward and probably sound a lot like the best practices that you’ve heard from compliance experts and privacy advocates for years.

Also, it’s worth noting that following a “Privacy by Design” model does not mean you are sacrificing an advantage for your business. A legitimate reason for collecting and processing personal data is not incompatible with protecting individual privacy rights. If you are concerned about your users’ privacy, then you are likely already taking this into account when you ask for data. 

You will need to increase your transparency about your data practices and you will need to rebalance your resources allocation to make sure you cover the entire lifecycle of your data, from collection to deletion. Disclosures in clear and easy to understand language, and attention to individuals’ requests about their personal information, builds trust and is ultimately good business.  

Also, informed and explicit consent should be the standard for your data collection practices. Your forms and marketing materials shouldn’t automatically be set to “opt-in” to data collection. Users should not be required to take an extra step to “opt-out” and they should not find out later that they were tricked into consenting through click-through Terms of Service or complex Privacy Policies. An affirmative action to opt-in will again increase the trust of your users. 

GDPR Resources
If you’re still trying to figure out if GDPR will affect you, I’ve put together a list of resources. As a fan of data compliance, I consider these my go-to sites for staying up to date on global regulations.

Full GDPR Legislative Act
It's always a good idea to be familiar with the original text of the regulation. You may be happy to find (I know I was) that the language is fairly easy to understand -

The ICO’s Guide to the GDPR
While the GDPR itself is fairly clear and understandable, this document from ICO breaks down the regulation further into a simple, digestible format with handy summaries, downloadable documents, and lists describing how to put GDPR requirements into practice -

Salesforce Trailhead: European Union Privacy Law Basics & GDPR
For a more active learning approach, take a look at this GDPR Trailhead module from Salesforce -

What’s Hot on Infosecurity Magazine?