As we expand our Ekata product offerings outside of the US and Canada, one of the main issues we are working through are EU data privacy regulations. In my role, leading data strategy and acquisition, I have gained many insights and key learnings. It’s worth noting that I am by no means an expert in EU data privacy regulations; but rather am someone that is moving up the curve and learning as I go and I want to share my thoughts from this perspective.
First, when it comes to EU data privacy, it is all about prepping for the impending launch of General Data Protection Regulation (GDPR) on May 25, 2018. The GDPR will replace the Data Protection Directive (established in the late 1990s) to improve synchronization of European data privacy laws across all EU member countries and to give EU citizens better control of how organizations access and use their data. The GDPR aims to do a better job of capturing the risks and protections EU citizens and organizations need to have in place in the current business climate. This has created what is generally viewed as a stricter set of rules that will require more oversight and governance.
Here are a few changes we’re diving into to understand how they will change our approach:
- The consent process must be clear and easily understood by the data subject (e.g., not buried in T&Cs) and the consent must be able to be withdrawn as easily as it was provided
- The geographic scope of the GDPR increases quite dramatically to govern any organization processing personal data of EU citizens regardless of the location of the organization
- Cross-border data transfers and confirming we have the proper safeguards in place to ensure that cross-border data transfers are not a blocker for us to do business with EU companies
Second, we are not alone when it comes to having many questions about how to operate within the GDPR guidelines. Nearly every company I speak with has questions regarding the impact the GDPR will have on their business. I have heard this from both US and EU-based companies. Even for those businesses within Europe, EU member states may still place additional privacy rules on data from their own countries (e.g., France may adopt more stringent rules than Italy). Given this broad uncertainty, it is important that we all do our homework to really understand how to work within the EU after the GDPR is in effect. This includes having your key stakeholders read the regulation (or a condensed version), making sure any law firm or third-party consultant you work with is truly an expert on the subject, and ensuring information is effectively disseminated within your organization so the proper actions can be taken.
Adding to the confusion around the GDPR is Brexit. There is considerable uncertainty about Brexit in general, which leads into questions about how the GDPR will govern UK data and companies doing business in the UK. Will the UK have significantly different privacy regulations than the rest of the EU? Will businesses need separate offices and/or data centers in both the UK and EU to properly do business in these markets?
Lastly, despite these upcoming challenges and many unanswered questions, I am still seeing a strong appetite from European companies to do business with US-based companies. Both sides of the Atlantic clearly see great opportunities in each other’s respective markets and appear determined to expand operations while making sure they get up to speed on the new compliance regulations. Ekata is no different—we are actively expanding our business into Europe in terms of data partnerships and selling Ekata Identity Check. While there are certainly more questions than we typically have in the US, we continue to see interest and demand from EU companies. We are truly optimistic about the future opportunities in Europe.
Interested in learning more about our international data? If so, read Drew’s blog: Four Tips for Sourcing International Data.