maxkabakov - Fotolia
The European Union's data protection laws to safeguard consumers' personal data and limit what companies can do with the data they collect is set to crack down on the Wild West era of data collection, use and abuse.
In other words, the party's over; data protection officers are on their way.
The EU's General Data Protection Regulation, or GDPR, enforceable beginning May 25, requires that personal data be collected with structure and purpose. This set of data protection laws limits how much personally identifiable information companies have the right to collect from their European customers, how they can use it and how long they can retain the data. Companies with an EU presence not in compliance with the data protection laws risk penalties of up to 4% of their annual total revenue.
Why Europe takes data privacy more seriously
At its core, GDPR prioritizes EU citizens' rights to privacy above corporate interests in the collected data. For that reason, I'm skeptical that broad data protection laws will come to pass in the U.S., where companies view data as currency and corporations hold sway over legislators.
Anne Marie Smith, vice president of education and chief methodologist at the data management consultancy EWSolutions, is far more optimistic -- though she believes it will take a data breach bigger than anything we've seen for legislators to take data privacy protection more seriously.
In her experience working with multinational companies, Smith sees how strongly European companies value data privacy compared to those in the U.S., and she believes it has less to do with America's money-making culture than it does with history.
"If you think about what happened in Europe during the Second World War and the way Nazi Germany used data to manipulate populations across Europe, the fear European governments have around use and misuse of data is clear," Smith says. "The European economic community is trying to combat laws that were written in Germany in 1933 and the ways [Germany] manipulated data in countries they conquered and aligned with. That's the driving force behind a lot of these data privacy regulations. The U.S. never experienced having their personal data used in that way."
U.S. companies also aren't keen on the government setting any restrictions on their business practices. That's not to say they don't abide by any consumer privacy standards at all; there are a number of rules and regulations companies are supposed to follow.
The right to privacy isn't explicitly stated in the U.S. Constitution; the Supreme Court has cited it as a right inherently stated in some amendments. And there are rules such as the Health Insurance Portability and Accountability Act, the United States Privacy Act and regulations set by the Federal Trade Commission, which require companies to disclose their corporate privacy policies to customers.
Data breaches on the rise
Government oversight or no, it's just good business to protect your customers' data from the very start. That's what TMW Systems did when it built a big data environment to run advanced analytics applications. Even before it designed its Hadoop architecture, the company put together a data security framework for the platform.
That approach doesn't appear to be the norm, however, and we continue to see massive data breaches on a more regular basis every year. In 2017, the number of reported data breaches in the United States amounted to 1,579 (179 million records exposed), up from 1,093 breaches in 2016 (36.6 million records exposed) and 781 data breaches in 2015 (over 169 million records exposed), according to data from Statista. The report cited the business sector as being the hardest hit by data theft last year, accounting for 91% of all exposed records. But U.S. citizens are being exploited in alarming ways, as we saw with Cambridge Analytica's collection of data from unknowing Facebook users.
It's an alarming upward trend, to put it mildly. And as those types of incidents continue and scale to impact more people and businesses, U.S. elected officials will have to write laws to restrict data collection and tighten data security. "At some point," Smith says, "legislators will throw up their hands, collectively, and say 'That's a lot of money, and a lot of people, and we have to do something about it.'"
Democrats recently proposed data breach legislation that holds the threat of jail time for executives who hide data breaches from customers -- but it only addresses notifications after the damage has been done and excludes some industries.
Unfortunately, most companies won't proactively implement stronger data privacy and security practices simply because it's the right thing to do. And U.S. lawmakers won't push for strong data protection laws unless the consequences of not doing so are greater than the issues that arise from legislative action. "It will take a hit to a lot of people's wallets for it to happen -- and I think it will come in the near future," Smith notes.
I can just see CEOs wincing at the idea of the U.S. government restricting their company's data collection and use, and I understand it. I really do. But consider the silver lining: If you only collect the data that's necessary for your business, and the data you maintain must be correct, up to date and protected, the business ultimately saves money. There's less data to sift through to find data insights, there are fewer opportunities for errors related to bad data and there should be a lower risk of your company being in a news headline that contains the words "data breach" and "class-action lawsuit."
To further the point, recent research shows the cost of bad data to be 15% to 25% of revenue for most companies, partly because bad data leads to poor business decisions. Bottom line: If you want to be a data-driven company, you need to prioritize data quality, data governance and data security.