Published on January 31, 2019/Last edited on January 31, 2019/10 min read
Last spring was more than a little hectic for marketers, IT professionals, and lawyers alike, thanks to the European Union’s General Data Protection Regulation (GDPR), which became enforceable in May 2018. This transformational legislation shook up data privacy and security as we knew it—not just in the EU, but around the world—by holding companies accountable for how they handle customer data, and re-emphasizing individuals’ right to control their own information.
In the months since, we’ve heard case after case where tech giants like Facebook and Google face fines and other legal actions in connection with failing to adequately disclose how they use personal data and other lapses in compliance. In addition, GDPR has started a wave of conversations and incremental actions around data privacy and security that make it clear that the ground in this key area is far from settled.
As 2019 gets underway, one of the big questions facing brands big and small around the world is: what does the new year hold for global data privacy and security? And while we don’t have a functioning crystal ball here at Braze, we’ve got the next best thing—our SVP of Legal, General Counsel, and Corporate Secretary Susan Wiseman and Associate General Counsel and Senior Director (EMEA) Marjorie Armitage, who have been on the front lines of this evolving space in recent years. Read on to see them map out their predictions for the coming year:
Many legal folks will tell you that GDPR isn’t particularly novel when it comes to its core legal concepts. The regulation is often vague and intentionally so—part of an effort by its drafters to allow the legislation to remain flexible and relevant as technologies evolve. (After all, the EU legislation that GDPR replaces, the Data Protection Directive, was in place for 23 years, dating back to when smartphones were just a twinkle in Steve Jobs’ eye.) What makes GDPR stand out from the crowd is the way that it works to protect the citizens of EU countries. By painting data privacy and security as a basic human right of sorts, the legislation does a lot to ensure that organizations in other countries dealing with the personal data of EU citizens take these issues—and compliance—seriously.
In fact, the EU and a number of other countries in the world have stringent laws to protect personal data. The EU allows companies to transfer personal data from the EU to those other countries that have equally stringent laws. The EU refers these countries as “adequate” jurisdictions. But if, for instance, you’re a media company based in the United States—which is a country not currently recognized as adequate by the EU’s standards—you can still process personal data from your customers in the EU, as long as you have agreed with your customer that you are going to protect personal data in a way that exceeds the requirements of U.S. law. You can do this by self-certifying to the Privacy Shield, or by signing Model Clauses with your customer. Both Privacy Shield and Model Clauses serve to validate transfers of personal data to the U.S.; to do so without a method recognized by the EU would be a breach of EU law.
These types of agreements are crucial because It can be hard for a country to achieve adequacy. For example, because the United States doesn’t yet have any sweeping national laws that align with GDPR, U.S.-based firms are only able to process EU personal data if they have signed with their customers the Model Clauses or if they have self-certified to the EU-U.S. Privacy Shield Framework—which makes it possible for EU companies to transfer personal data of EU citizens to U.S. companies (Like Braze, for instance!)
While it’s true that the U.S. doesn’t have any national laws that meet the standards required by data protection authorities in the EU, when it comes to consumer data privacy and security, we’re slowly but surely beginning to see state-by-state legislation come into play.
Last year, California became the first state in the country to pass new data privacy legislation with the creation of the California Consumer Privacy Act. This law is groundbreaking when it comes to U.S. data privacy requirements, guaranteeing consumers the right to data access and erasure, as well as requiring companies to update third-party data processing contracts to ensure compliance in ways reminiscent of the controller/processor rules set down in GDPR, among other first-of-their-kind requirements in the U.S.
When GDPR enforcement came into effect in May 2018, more than a few U.S. companies chose to deal with this major new regulation by, well...not dealing with it. That is, some organizations who didn’t have customers in the EU chose not to work toward GDPR compliance because they didn’t have customers in the EU; meanwhile, other companies that did have customers in the EU chose to shut them out instead of trying to follow the new law. Some brands in California, a major tech and media hub in the U.S., fell into this boat, too—remember when the Los Angeles Times took down their website completely in the EU, all so they wouldn’t have to comply with GDPR? Well, now those same companies have less than a year to become compliant with the California Consumer Privacy Act before enforcement begins on January 1, 2020.
Overall, it would very much behoove U.S.-based companies—big and small, new and established—to start moving toward a reality where customer data privacy and security rights are a given. While California was the first state to pass entirely new data privacy legislation in the wake of GDPR, we’re seeing other states like Louisiana, Alabama, Colorado, and Virginia taking steps to strengthen exist laws around data privacy. (Additionally, Vermont previously passed a new law toughening regulation of data brokers and setting down minimum security standards.)
While there’s no sign so far that the U.S. federal government will take steps to draft a GDPR-style federal law this year, the expanding patchwork and new and strengthened legislation around data privacy on a state-by-state basis is a key sign for businesses that they need to think seriously about how they’re currently handling data. If they don’t, they risk being blindsided when either a new nationwide law goes into effect or the drumbeat of state-by-state laws make it impossible to do business within the U.S. without overhauling how they process and manage consumer data.
It’s unlikely that this US Congress will pass a [nation-wide privacy] law anytime soon. Nonetheless, privacy is clearly on people’s minds. Even in the US, there is an increased momentum and emphasis on privacy rights and the need for better and more legislation. I think instead of seeing a new and sweeping Federal Privacy Law, we are going to see a bunch of states enact laws similar to what California did last year with the CCPA.
“Privacy by design” means ensuring that systems are built from the beginning with the intention of storing, protecting, transfering, and processing personal data using industry standard security practices and following the wishes of consumers with respect to their personal data. But while the concept has been around for a while, GDPR is the first regulation to include it as part of its compliance requirements. Even though the parameters of what qualifies as privacy by design within GDPR are somewhat vague, it does ensure that compliant companies are taking measures to design their systems with data safety in mind.
Ensuring that your company has met the “privacy by design” standards requires thoughtfulness and vigilance when it comes to managing information. You have to know where data is coming from, what individuals and systems are touching it, and when it can and can’t be accessed or used. All of that is much easier if you build data management systems and processes that integrate strong concepts of data privacy and security right from the start.
GDPR places an emphasis on giving consumers a clear understanding of how their data is being used by organizations (without having to read a massive legal document), giving them the ability to simply change their data preferences at any time, and the right to access and request erasure of their information whenever they choose. Privacy by default also fits into this concept, meaning that if a customer has not updated their preferences, the default setting should be the highest levels of data protection and control. As marketers well know, these kinds of restrictions can sometimes negatively impact the customer experience—for instance, a ridesharing app’s users are going to have a pretty frustrating experience if they don’t provide access to their location. That means it’s on companies to use creative (and compliant!) messaging to make the case consumers to decide that there is real value in allowing those companies to use their personal data to support more relevant, more impactful experiences.
GDPR was made purposefully broad in terms of what compliance looks like in an effort to allow technology to evolve. Certain aspects of the Data Protection Directive were out of date within about five years as the internet exploded, so lawmakers were very careful to make sure GDPR was technology-agnostic.
GDPR’s inherent, intentional vagueness is central to the legislation, and that vagueness has been a major hurdle for many companies looking to comply with the law. But thankfully that same vagueness has also allowed businesses to come together to determine what compliant handling of data looks like, while also allowing room for technology to grow and evolve. And because proving that your company is actually doing what you claim when it comes to data privacy is a key component to GDPR compliance, third-party validation systems will become increasingly important for brands.
What does that look like? Well, at Braze our focus on ensuring that we’re prioritizing data privacy and security had led us to pursue third-party validation of our systems and processes—most recently, we successfully completed both SOC 2, Type 2 and ISO 27001 certification during the 2018 calendar year. The ISO certification affirms that an organization has performed a comprehensive assessment of security risks and has created an Information Security Management System (ISMS) that complies with the requirements set out within ISO’s global information security management standard, ensuring that the recipient corporation has achieved industry standard security protocols.
These standards are determined by stakeholders from around the world under ISO’s global standard-setting process. In fact, our own Marjorie Armitage is currently serving as acting co-chair of the UK-working subgroup of the European standards body working to determine industry privacy standards related to GDPR compliance. And as the number of standards associated with new data privacy regulations increases, look for certifications for standards like these to become table stakes for companies looking to prove their compliance to consumers and regulators alike.
Accountability was always a key principle of data protection, but GDPR finally codified it in the law. You need to be able to demonstrate that you’re compliant and that you're doing all your say you are.
Technology has made it possible for companies to gain a rich, more nuanced view of their customers and their behaviors than ever before—but the use of the detailed customer data that powers that understanding can also carry risk for brands and their users alike. Part of leveraging data effectively is ensuring that you have the processes, tools, and knowledge you need to safeguard the information that your customers have entrusted to you.
That’s the world we find ourselves in, and the risks and rewards are only going to get bigger as technology advances and consumer behavior shifts. To dig deeper into key considerations around GDPR, HIPAA, and the latest in how data security is impacting customer engagement, check out the Braze Security Roundup.