“I don’t have enough customers to worry about data privacy.”
“No one cares about the data I store.”
Statements like these are thrown around all the time. Organizations often view data privacy compliance as a problem for another day — but this kind of thinking carries great risk.
As consumers become more concerned and aware of their data privacy rights, governments continue to respond. The European Union’s General Data Protection Regulation (GDPR) is arguably the most well-known data privacy law, given its 2018 implementation and widespread implications.
But similar laws — like the California Consumer Privacy Act (CCPA), Brazil's 2020 national privacy regulation, and New York's SHIELD Act — have all followed in GDPR’s footsteps. Notably, these laws are propagating in the world’s largest economies.
For any company to succeed in this environment, it must understand its obligations under both global and local laws, including the risks of noncompliance.
Your company’s obligation to data privacyData privacy laws give individuals control over the information organizations collect, including how they use that information. Under these laws, entities must understand whose data they have, why they have it, and how it’s used.
Bottom line? Governments and consumers are asking companies to respect individuals’ personal data. And while this is a reasonable request, executing it can be a different story.
In part, this is because organizations process more data captured under privacy laws than they realize. Under the GDPR, for example, personal data includes any information that can be used to identify a person, either by itself or in conjunction with other data points. Thus, if you merely collect a user’s first name for your email list, you’re within the scope of the law.
Additionally, organizations that fall under many data privacy laws are also responsible for the data their vendors process. An example: Let’s say you integrate an analytics tool with your website (think Google Analytics). When the tool processes IP addresses or locations, you’re obligated to ensure they’re processed lawfully.
If your company operates a high-traffic website with dozens of integrated services, doing inventory on that data is complicated — especially if multiple team members have the authority to process data. Depending on your jurisdiction, simply copying an email address from a business card into your CRM counts as “data processing” under the GDPR.
The consequences of noncomplianceWhat happens if you fail to comply with data privacy laws? You open yourself up to severe consequences.
Financial penaltiesOrganizations that aren’t compliant with data privacy laws could face significant penalties.
European data protection authorities can impose fines of up to €20 million or 4% of the organization’s annual revenue from the preceding year — whichever is higher, based on the nature and severity of your violations.
The greatest fines are given to companies that don’t respect users’ data rights, fail to safeguard the personal information they collect, or transfer personal data to entities that can’t provide adequate protection. Repeated offenses and negligence mean increasingly severe penalties.
Organizations could also face significant financial repercussions via aggrieved parties who file civil suits alleging harm due to illicit data practices. And if you have a lot of users, those costs can become insurmountable.
Reputational damageToday, consumers are more educated (and concerned) than ever about their personal information. They value companies that take data security seriously, and they’ll scrutinize a company’s data privacy policies to understand how personal information is used.
Organizations that lack data transparency are at risk of developing a negative reputation. Customers may simply choose to spend their time and money elsewhere. Partners, vendors, and other organizations may avoid working with you, especially if the partnership requires sharing personal information.
Though it’s hard to quantify, a tarnished reputation may represent a greater financial loss than imposed fines ever could.
Suspension of data flowsAt worst, data protection authorities can stop organizations from processing personal data entirely. If they discover wrongdoing, authorities can impose temporary or permanent bans on operations, halting user data collection or transfer in that jurisdiction.
Clearly, this could serve big blows to companies that base their business operations on data. For example, an ad network that relies on cookies to deliver ads would be crippled by a data flow suspension, effectively ending the business.
Your location doesn’t matterHere’s a misconception: A business’s location is relevant when it comes to data privacy laws.
In truth, data privacy laws are typically transnational: Companies must comply with the regulations of their users’ jurisdictions.
For example, if you operate a website from the U.S. and a European visits your site, you’re responsible for delivering an experience that complies with the EU’s GDPR. If you don’t, EU data protection authorities can impose fines and/or ban you from operating in the EU.
Therefore, your options include:
- Creating custom systems and data flows based on user location, or
- Building a uniform system for all users — one that satisfies all jurisdictional data privacy law requirements. (Spoiler: This option is less expensive.)
If your company hasn’t taken steps to become data-privacy compliant, you’re vulnerable right now. And the cost of ignoring data privacy (and failing to comply with respective regulations) is too high to ignore.
Alleviate stress, future fines, and a tarnished reputation by getting compliant now. To users, customers, and governments, data privacy is a high priority — it’s time you made it one, too.