“Data privacy doesn’t apply to my organization.”
“I don’t have enough customers/users to worry about data privacy.”
“No one cares about the data I store.”
Those kinds of statements get thrown around all the time. Many organizations view compliance with data privacy laws as a problem for another day. But there’s a great risk in doing so. It’s a misconception that can cost thousands, even millions of dollars.
As consumers become increasingly aware of data privacy as important, governments continue to respond. The European Union’s General Data Protection Regulation is arguably the most well-known data privacy law, given its 2018 implementation and widespread implications. But similar laws, such as Brazil's new national privacy regulation, the SHIELD Act in New York and the California Consumer Privacy Act in California have all followed the path the GDPR trail blazed. Notably, these laws are propagating in the world’s largest economies.
Any business aiming to succeed in this legislative environment has to understand its obligations under both global and local laws, as well as the risks of noncompliance.
Your data privacy obligations
Data privacy rules and regulations give individuals control over what organizations collect about them and how that information is used. For the laws to be effective and for compliance to be achieved, organizations have to understand whose data they have, why they have it and how it may or may not be used. Under some laws, data subjects must have the power to revoke access to their own data.
Essentially, governments and consumers are asking you to respect the personal data of your data subjects. And that’s a reasonable request, right? But executing it isn’t always so easy.
Part of that is because many organizations process more data that would be captured under privacy laws than they realize. Under the GDPR, for example, personal data includes any information that can be used to identify that person, either by itself or when used in combination with other data points. If you merely collect a user or customer’s first name for your email list, you’re within the scope of the law.
But that’s not all. Organizations that fall under the scope of many privacy laws are responsible for the data their vendors process as well. For example, if you integrate an analytics tool (like the popular Google Analytics) with your website, and that service processes IP addresses or locations, you’re obligated to ensure that the vendor processes data lawfully.
If you operate a high-traffic website with dozens of integrated services, doing inventory on that data is complicated, especially if multiple people in your organization have the authority to engage in data processing. Depending on your jurisdiction, simply copying an email address from a business card into your CRM counts as “data processing” under the GDPR.
The risks of not complying with data privacy laws
What happens if you fail to comply with data privacy laws? You become vulnerable to three potentially dangerous effects.
Organizations that aren’t compliant with data privacy laws could face serious administrative penalties. European data protection authorities have the power to impose fines of up to 20 million euros or 4% of the organization’s worldwide annual revenue from the preceding year, whichever is higher, based on the nature and seriousness of the violations.
The most severe fines are given to companies that fail to respect their users’ data rights, fail to safeguard the personal information they collect or transfer personal data to organizations or countries that can’t provide adequate protection. Repeated offenses and negligence will result in increasingly severe penalties.
Furthermore, organizations could face significant financial repercussions by way of aggrieved parties bringing civil suits alleging harm as a result of an organization’s illicit data practices. In that case, if you have a lot of users, the costs can add up quickly.
Consumers are more educated and concerned about their personal information than ever before. They increasingly value companies that take data security seriously, and the most discerning will scrutinize the data security and data privacy policies of any organization collecting their personal information.
The organizations that don’t act transparently put themselves at risk of developing an unfavorable reputation. Users and customers may simply opt to spend their time and money with your competitors. Partners, vendors and other organizations may avoid working with you, especially if those arrangements require them to share personal information with your organization.
While it’s hard to quantify, this reputational damage could represent a greater financial loss than any fine imposed by a supervisory authority. A bad reputation requires a lot of time and money to fix.
Suspension of data flows
In the worst cases, data protection authorities have the power to stop organizations from processing personal data entirely. If an investigation proves wrongdoing, authorities can impose temporary or permanent bans on operations, halting the collection or transfer of data on users and customers in that jurisdiction.
As you can imagine, this could be a powerful blow to businesses whose businesses are based on data. For example, an ad network that relies on cookies to deliver ads to users would be crippled by a data flow suspension, effectively ending the business.
Your location doesn’t matter
There's a misconception that a business’ location is relevant in regards to data privacy laws. But in truth, data privacy laws are typically transnational. That means companies must comply with the laws and regulations of their users’ and customers’ jurisdictions. For example, let’s say you operate a website from the U.S. If a European visits your site, you are responsible for delivering an experience that complies with the EU’s GDPR. If you don’t, EU data protection authorities can impose fines and/or ban you from operating in the EU.
Your options, therefore, are to either create custom systems and data flows for users based on their locations, or build a uniform system for all users, one which broadly satisfies all jurisdictional data privacy law requirements. (Spoiler: Option B is less expensive).
What does this mean for you? If you haven't taken steps to become compliant with data privacy laws, you are vulnerable right now. And here’s the thing: The cost of ignoring data privacy and failing to comply with data privacy regulations is too high to ignore. It’s significantly easier, less stressful, and less expensive to make yourself compliant before an incident occurs. Users, customers and governments have made data privacy a priority, and so should you.
Regardless of your organization's size or purpose, it's more than ever the time to make your business transparent and compliant with data security laws.