Toward the end of May, companies worldwide sent out emails informing customers of updates to their data privacy policies. These emails were in response to something called GDPR, which stands for the General Data Protection Regulation. It is a European Union regulation that requires organizations that store sensitive customer data to take appropriate measures to ensure they protect it and keep it private. Not an unreasonable request. The legislation impacts businesses of all sizes and IT organizations need to pay attention.
Why US Businesses Should Care About GDPR
A strict interpretation of the regulation leads one to believe that a US business that has a presence in Europe or stores the data of a European citizen must follow the regulation’s guidelines, at least as it relates to those citizens. How strictly to interpret GDPR is a topic of hot debate, but the reality is it is more than the components of GDPR about which US businesses need to be worried, it is also the GDPR ripple effect that extends far beyond EU borders.
A key reason that US-based businesses should pay attention to GDPR is the discussion GDPR has set into motion around data privacy. It is easy to imagine US citizens demanding the same levels of protection and privacy that Europeans get.
Another reason that US based businesses should pay attention to GDPR is organizations that have gone through the process of complying with the regulation are now using it as a marketing tool. One can hear the battle cry now, “Our US customers deserve the same protection as our European customers and with us they get it.” As that “you deserve data privacy” message gets out, the conversation around data privacy increases the volume of the battle cry. The reality is that once an organization has gone through the effort of creating a data management strategy that is in line with data privacy regulations, it is easier to make that policy applicable worldwide.
Attendees to our workshops ask me if the US has a GDPR-like policy waiting in the wings, that covers data privacy. My answer has been, “yes, eventually,” but the reality is that the government may not need to create such legislation, since competitive pressures will force businesses, of all sizes, regardless of their global presence, into compliance.
In our next entry “Developing a Storage Architecture for Data Privacy”, we’ll get into the storage aspects of developing a data privacy strategy. GDPR and future regulations place new requirements on data protection, retention, and deletion. These new requirements make some storage technology obsolete and make others an absolute necessity.