While the recently-enacted European Union General Data Protection Regulation (GDPR) may be a confusing mess for big-data companies — especially the Facebooks and Googles of the world — some experts say it shouldn’t be keeping smaller business owners awake at night.
“The first thing to do is relax; it’s really about knowing who and where your clients are and where your data is,” said Jeremy A. Rose, senior technology attorney with Brock and Co. in Longmont. “For us in America it really is more of a mindset change. In America customer data has always been company data; now we have to start addressing it as data that can belong to the customer.”
Obviously, a number of firms around the world have been reaffirming that their clients have, in fact, opted in to having their data used. Even if that data is used in the most elemental fashion — for emailed updates and newsletters, for instance — getting that affirmation is the first step in compliance for firms with European clients.
“If we use it we have to get their informed consent,” said Rose, noting that is why many of us are getting notices for newsletters and other website access we may have opted into. “If they want their data forgotten, we have to oblige them and give them the right to be forgotten.”
But for companies with more extensive data usage — for instance, big data solutions — GDPR becomes more problematic, said Alison Cool, a professor of anthropology at the University of Colorado Boulder, who also holds an honorary appointment in information science. In a recently penned op-ed in the New York Times — Europe’s Data Protection Law Is a Big, Confusing Mess — she described the law as “staggeringly complex.”
“After three years of intense lobbying and contentious negotiation, the European Parliament published a draft, which then received some 4,000 amendment proposals, a reflection of the divergent interests at stake,” she wrote.
That can trip up even small businesses, she said in an interview with BizWest. For instance, an American florist that delivered a gif for a European client might routinely keep that information to send their customers deal notices on the holidays, which would now be illegal unless that informed consent has been reached.
“That’s why we’re all getting these messages,” Cool said. “Consent isn’t the only legitimate basis for collecting information, but it is one of the clearer ones.”
And therein lies the rub, Cool said, because much of the law isn’t really very clear at all. For instance, the law requires that companies keeping personal data take responsible steps to protect that information, but how much protection is enough is a question on the minds of many European companies.
“You need to be accountable for personal information, but what does that mean? Is my definition of accountable enough? You could choose the strongest security system available and that would probably be enough, but where do you draw the line between what’s too much or too little?”
Last year, CooI interviewed scientists, data managers, legal scholars, lawyers, ethicists and activists in Sweden, and learned that many who will be subject to the law find it incomprehensible. Many of the principles are rather ambiguous or open ended, she said, making total compliance largely unobtainable.
For instance, many of the regulations appear to be founded on companies keeping their data in one place on their own servers, hardly a good assumption in these days of cloud computing. That also speaks to why big data companies will have a hard time chasing down where exactly data has been used in the past.
“A lot of people are lying low and waiting to see what happens to Facebook and Google,” Cool said. “For a lot of people it’s about managing risk, because you can’t be totally sure you are in compliance. But there’s also the combination of these huge (potential) fines and the ambiguity.”
However, Rose said that with the law now in effect for two years, “the time for Armageddon has come and gone.
“It doesn’t warrant the level of panic, in my eyes.”