The General Data Protection Regulation (GDPR) is here, and it could cost you four percent of your company’s worldwide revenue, or 20 million Euros (nearly $25m), whichever is HIGHER.
The GDPR went into effect May 25, 2018, and it had the digital world’s best data security, privacy, and compliance professional’s collective stomachs in knots in the month’s leading up to it. After sitting for three and a half hours with a few dozen of these brilliant people, the ultimate conclusion is: much of this law is broad, unclear, and a bit scary. These are people who have spent months researching and studying this law, and preparing specifically to answer questions in discussion, leaving the meeting with even more questions.
What exactly is “Personal Data?” There is a definition, but whether you are an attorney, a business executive, or a tech geek, you will see very clearly that the definition is not exacting. What is a Processor or a Controller? Are you one, or both? What constitutes Consent? Is your consent request clear, affirmative, and unambiguous? Is it informed, specific, and freely given? An error in understanding and complying with any of these terms or conditions can result in a penalty.
Security privacy and compliance are costly endeavors if you want to be protected. It is important. Consumer data should be protected at all costs. Digital Remedy, has spent innumerable executive and legal resources on these matters. We have been doing this long before the introduction of GDPR, to comply with existing laws and regulations, both domestic and international. But with the current GDPR presence, everything is being revisited. The potential penalty from this law is unprecedented, which may be separate from what you might be liable for elsewhere. The potential cost and risk now levied in attempting to comply with GDPR has presented a new and appealing option: exiting the EU market entirely. This is the true “Zero Risk Tolerance” option. You cannot fall under the jurisdiction of EU law, if you never touch the EU or its citizens.
A “DRexit” is not in our future, but perhaps others should closely consider the option, or some variation thereof. It is, after all, the simplest and most risk-averse solution. Every platform and DNS has the capability to target geos and, likewise, to block them. Why let these users jeopardize 4% of your worldwide revenue (yes, it’s revenue, not profit)? Imagine if your company lost $25m, or more, because of 1% of your business! Or 5%, or 10%, or even 50%! For many, this is a risk not worth taking.
From a logic standpoint, I expect to see many companies exiting the EU market due to the GDPR. If you are not one of those, it is vital that your company understands GDPR and complies with it to the fullest extent possible if you are engaging in the EU market. Here at Digital Remedy, we welcome the advances in consumer data privacy and protection, and continue to work tirelessly toward full compliance. If you have additional questions surrounding GDPR and our response, we would love to hear from you.
A previous version of this article was posted on April 19, 2018.