18 months after GDPR: how data privacy regulations have impacted different industries
Person 1: Do you know a GDPR consultant?
Person 2: Yes.
Person 1: Can you give me her email address?
Person 2: Not without her consent, no.
Post-GDPR, the internet is rife with data privacy jokes. But these don’t take away from the fact that data privacy is one of the biggest concerns of our times. In just a year since GDPR took effect, 206,326 cases were filed and €55,955,871 worth of fines were issued under this law. The demand for better regulations worldwide has turned into a warcry and governments are responding.
Here are a few similar regulations:
- The California Consumer Privacy Act (CCPA): Passed in June 2018 and hailed as the most stringent data privacy regulation passed so far. It upholds almost all of GDPR’s recommendations and additionally, specifies the damages to be paid to victims of a data breach ($100-$750 per user).
- The CCPA guidelines triggered privacy law updates in other states including Virginia, Arizona, Colorado, Louisiana, and Alabama. These states have updated their definitions of what constitutes personal information and set guidelines on protocol to be followed in case of a data breach.
- India’s Personal Data Protection Bill (2018): Set to be proposed in the winter session (Dec 2019) of the Parliament, this bill is based on the recommendations of the Srikrishna Committee. It includes provisions for data localization and portability, establishing a fiduciary relationship between data controllers and subjects, and penalties for violation.
Personal data: what is it and what is protected?
Pre-GDPR directives considered data such as personal names, photographs, phone numbers and other contact information, social security numbers, and bank information. But newer laws have a broader definition.
They include all personally identifiable information including IP addresses, biometric data, mobile device identifiers, geolocation, etc. GDPR also refers to a person’s broader sense of identity—genetic, psychological, cultural and economic—as falling within the scope of privacy protection.
What rights do these laws uphold? Among other rights, GDPR protects:
- The right to be informed: Organizations must be transparent with their users and let them know that their data will be collected and used for specific purposes.
- The right to erasure: Individuals have the right to demand that organizations ‘forget’ their data or remove it from their systems.
- The right to restrict processing: In some cases, individuals have the right to ask that their data be collected and stored but not processed or used.
- The right to data portability: Individuals have the right to move or copy their data to other IT environments for their own personal use.
- Rights in relation to automated decision making and profiling: Protects the use of personally identifiable data in cases of user profiling and AI-driven decision making without human intervention.
So what does this spell for subscription businesses across industries?
#1 Consent-driven data collection
Much of the user data that organizations collect falls under the scope of personally identifiable information either on its own or when combined with say, account information. As a subscription business, you are a data controller and in possession of much such data.
An OTT player, for instance, collects information such as what shows a user is watching, when they skip ahead or rewind, the device(s) on which they watch, their zip code, etc. This data is then used to deliver personalization (custom recommendations of what to watch next), optimizations to the viewing experience (say, based on devices used) or marketing (promotional content for new releases).
All of this data now falls under the purview of privacy laws and you need explicit consent from your users to collect, store and process it. You need to overhaul your terms of service and privacy agreements, as well as invest in consent management platforms.
#2 Infrastructure readiness to handle new data demands
According to a PwC survey, 68% of US companies are expected to spend up to $10 Mn on GDPR compliance; a big chunk of this will go towards overhauling or upgrading their IT infrastructure to be GDPR-compliant. Data center owners have reported that after the GDPR came into effect, they have seen a spike in the number of user-demanded data center audits. Users demand detailed risk assessments and ask to know how DCs protect data and access controls.
As a subscription business, you may have so far been focused on the best ways to store and retrieve customer data. But now, you will also need to map out what data you are holding, whether any of it falls under the personally identifiable category, and whether you are equipped to ‘forget’ or transfer this data if your users so demand.
#3 Data governance that complies with regional regulations
If you are a subscription business, say a publisher for example, you would be sharing your user data with ad platforms like Google and make revenues from targeted advertising run on your platform. Now you need to make sure that your data practices comply with prevailing privacy regulations in different geographies. For instance, immediately after GDPR, 1000+ US publishers including Chicago Tribune, Los Angeles Times, and New York Daily News remained unavailable to EU users because they were not yet GDPR-compliant.
#4 Contingency plan in case of data breach
However extensive the measures put in place by governments and corporations, user data is always at risk and enterprises must have an action plan to activate in case of a data breach. A good 24-48 hour response plan includes damage assessment, rapid communication, and cooperation measures with regulatory and security bodies. Root cause analysis for breaches must also go beyond the technical and system-level changes adopted to prevent a recurrence.
In Jan 2019, video sharing platform DailyMotion fell prey to a large-scale credential stuffing attack that compromised the data of 85Mn users. However, the company was able to successfully limit the extent of damage. It immediately contacted impacted users and offered personal support. It also ensured full cooperation in the breach investigation. As a result, no user complaints were logged and the fine imposed was reduced from €500,000 to €100,000.
There is no doubt that the data landscape is evolving rapidly and privacy regulations are here to stay. They are likely to get more nuanced as regulatory bodies and privacy watchdogs become more aware. The way ahead lies in how soon and how well you are able to get ready to face the data-secure future.