Electronic Privacy Act Could Have a Detrimental Impact on Businesses
The GDPR May adoption date has caused many American businesses headaches as they scramble to understand how the EU approaches the electronic privacy of its citizens. An April 2018 flash poll conducted by Baker Tilly Virchow & Krause LLP noted that 90% of organizations were not ready for GDPR.
A study conducted by McDermott Will & Emery LLP found that 71% acknowledged “that lack of compliance could have a detrimental impact on their companies’ ability to conduct business globally.”
American businesses need the EU’s customers. As a result, many may get lost in trying to become GDPR compliant without fully understanding why. At this point, most employees who have heard about GDPR understand the new regulations ensure privacy of EU citizens. However, this is not enough. American-based companies and their employees need to understand how PII travels throughout their company’s workflows. This understanding helps businesses/organizations who use sensitive PII be proactive in its protection, thus ensuring a consumer connection with American-based companies.
The GDPR had only been in effect mere hours before an Austrian company filed GDPR complaints against Google, Facebook, WhatsApp, and Instagram. Facebook owns WhatsApp and Instagram, so they may be in even deeper trouble than Google. Nonetheless, the very quick filing of the complaint hints at the motives behind passing the GDPR. While few Americans may have known the exact reasoning behind Mark Zuckerberg’s testimony before the EU Parliament on May 22nd, he was there to reassure EU citizens that they could continue to use Facebook despite GDPR, which would be implemented less than a week later. Much as it is in the United States, these types of public hearings before governmental bodies tend to align with contemporary politics.
“The GDPR had only been in effect mere hours before an Austrian company filed GDPR complaints against Google, Facebook, WhatsApp, and Instagram. Facebook owns WhatsApp and Instagram, so they may be in even deeper trouble than Google.”
Records managers and other professionals who manage information at the executive level need to take an IG approach to understanding how all information, not just PII, moves through their businesses. Prior to GDPR enactment, tech companies that relied on proprietary algorithms could collect data from any number of collection points. Under the new regulatory framework, data collection should be severely limited and is no longer part of the processor function. Consequently, any IG professional who seeks an understanding of GDPR must fully grasp this unique relationship between controller and processor.
Under GDPR, it is unclear how these proprietary algorithms will continue to function. They depend on the all-encompassing processing information listed in Article Four, Section 2. Figure One illustrates the new controller to processor relationship. Notice the flow of information is only one way in this relationship.
Understanding the flow of information and the duties ascribed to the controller and processor roles, while also managing information in a GDPR-compliant IG framework, is a challenge that can be addressed with a firm conception of what privacy means to an EU resident.