Why the EU’s General Data Protection Regulation Matters for U.S. Firms

Over the past year, many U.S. and European tech companies have been preparing for Europe’s impending consumer data protection law — the General Data Protection Regulation, or GDPR. The change takes effect May 25.

Once implemented, companies will need consent before gathering information about users online. And after a user has given consent, companies must remove certain data upon request. Plus, companies must obtain parental consent for collecting data on users under the age of 16.

The problem? Gartner predicts that less than half of companies affected worldwide will be in compliance by the end of this year. Another study indicates that only 38 percent of U.K. firms have even heard of the GDPR, while just 25 percent have made related changes. Firms that don’t comply could face fines totaling 4 percent of their annual revenue.

“The rush of activity is a reminder of how Europe has set the regulatory standard for reining in the immense power of tech giants,” writes Sheera Frenkel in The New York Times. “European officials said the coming rules are forcing American tech giants to take a step back.”

That said, many U.S. firms are not only in compliance already, but are using GDPR to initiate conversations about consent with their customers. Facebook and Google both noted they were planning to offer users more control over their data even before GDPR was introduced. And smaller firms are looking to the behemoths as examples for how to proceed.

Some changes the major U.S. tech firms have made include:

• Google asking users how much data they want to share via products like Gmail and Google Docs.
• Amazon simplifying its cloud storage services customer agreement about data processing.
• Facebook introducing a centralized data privacy center in which users dictate what ads are visible on their timelines and who can see their posts.
• Facebook refining, and in some cases, eliminating E.U. product offerings that gather too much user data.

“There has not been any pushback from American companies,” European Commissioner Vera Jourová told the Times last month. “If anything, they seem very eager to understand how exactly they can comply with the regulation.”

Not quite sure how to replicate Google, Amazon, and Facebook’s efforts? Gartner recommends the following tips to prepare your firm for the impending law:

• Appoint someone within your organization to be a data protection officer. Have this person study the issue, recommend necessary company changes and monitor compliance updates continuously.
• Document and demonstrate how your company has moved beyond implied consent for securing EU customer data to getting their express permission, following specific GDPR guidelines.
• Establish plans for communicating data breaches to customers
• Create messaging for every touchpoint whether you’re introducing how users can opt in/out of data collection or acknowledging that you’re erasing user data.

Whether or not your firm has ties to the EU, implementing more responsible data practices is becoming a necessity for maintaining positive customer relationships. Many analysts predict that stricter EU regulations will motivate other countries, including the U.S., to voluntarily offer greater consumer data privacy.

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice,” U.K. Information Commissioner Elizabeth Denham told Pymnts.com last month. “Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right.”