The advent of the European General Data Protection Regulation (GDPR) impacts more than individuals and companies in Europe. In fact, it has far-reaching effects for anyone who purchases or sells goods around the world. Business professionals who have basically left the issue of data privacy laws to their IT teams are beginning to realize there’s quite a bit they’ve taken for granted.
If you are leading a new startup, now is a good time to educate yourself on the realities of laws related to data privacy. It’s not just about laws passed in your country of origin; it’s about privacy laws anywhere you intend to do business. Here are some things you should know about those laws and why they could have a serious impact on your new business.
The Laws Vary From One Country to the Next
While some of the provisions found in the new GDPR are already part of laws in different countries, the range of what you can legally do with company data varies from one country to the next. Something that’s perfectly legal in one part of the world could land you in hot water in a different area.
For example, did you know that data privacy laws in some parts of the world include the right of consumers to request that you remove all records of their interactions with the company from the files? Sometimes referred to as “forget-me” or “right to be forgotten” laws, the fines and penalties involved with not honoring a request can be significant.
Your best bet in this scenario would be having a procedure that ensures the customer’s request is honored by archiving the data at the least. If local laws allow, go ahead and remove the data. Remember to replace it with documentation containing the date of the request, who made it, and when the data was removed.
Laws Change Regularly
The laws governing how your company collects and uses data change from time to time. That means something that you are doing now may be fine, but it will be off limits this time next year. The only way you can avoid serious trouble is to keep track of what laws are being repealed and what new laws take their place.
This can involve a significant investment of time. Since you are operating a startup, it’s understandable that you would rather concentrate on product development, accounting functions, and marketing. Even so, remember that all of those efforts amount to nothing if you end up being charged with a serious data privacy violation.
The Data You Can Collect is Limited
Depending on national laws that apply to your operation, there may be limits on the type of data you can collect. For example, you may only be able to ask for the data needed to process a shipment and ensure the payment method is legitimate. Laws in other countries may allow you to ask for data about income level, number of people in the household, and other information you could incorporate into marketing efforts.
Design your ordering process so that you only collect the minimum amount of data needed. If you want more for marketing and other internal functions, create some sort of survey or poll that customers can opt into of their own free will.
How You Store the Data Matters
It’s not just about what data you can collect and what you can do with it. In many countries, data storage is closely associated with data privacy. You must develop a strategy for protecting the data from unauthorized use.
Recommended for You
Webcast, October 17th: How to Solve Your Marketing Data Nightmare
This will certainly involve using encryption, firewalls, and other processes designed to keep hackers at bay. You may also need to ensure that data kept in hard-copy form is also properly stored and the access restricted.
Remember that all it takes to destroy your business is one major data breach. Along with legal issues related to improper data storage and protection, the cost of such a breach is more far-reaching than you may think.
The Government Might Decide to Take Your Data
You already know that frustrating hackers is part of the obligation you have to your clients. It’s also important in terms of keeping proprietary data out of the hands of competing companies but another less publicized avenue of data loss is to your government.
While each has laws in place that make domestic spying illegal, governments like the US, UK, Australia, New Zealand, and Canada (the so-called Five Eyes) play a game of misdirection when it comes to collecting data on its citizens. Each spies on the others and then shares the data. Sneaky, right?
The open source development community has provided no shortage of applications built with privacy in mind, many of which are free to use. Such tools address the threats posed by the Five Eyes, Nine Eyes, and Fourteen Eyes groups, offering some defense against their intrusion efforts.
Some of your company data is already accessible to government entities even if you don’t realize it. There have long been laws on the books that make it necessary for service providers to pass on information to a government entity. For example, your banking institution and your telecommunications provider may be required to hand over data without the need for a court order.
If you’ve heard of agreements between countries that prevent them from spying on citizens in other nations, don’t think you are protected. Hacking by a government entity is quite possible. Your only real defense is to create a strong security network and hope that it’s enough.
Being Known as a Non-Compliant Entity Damages Your Brand
The failure to comply with data privacy laws in any way does more than affect your business in terms of incurring fines and other penalties. It will also damage the reputation of your brand. If word gets around to your clients that their data is not properly protected, they won’t stay around long.
Instead of being an up-and-coming new company, you could find yourself with nothing more than a shell that’s generating little to no income. Even if you do restructure the business to make it fully compliant with current privacy laws, the damage is done. Cutting your losses by shutting down the business and hopefully being able to launch under a new name later is basically the only choice.
Identifying and observing data privacy laws is not optional. You ignore them at your own risk. For the good of the company, know and understand those laws, invest in the best business security systems possible, and remember to keep track of what’s changing and what’s staying the same. You’ll have a better chance of growing the business, protecting your data, and finding your own niche in the marketplace.