Lately, it seems whenever you turn on the TV, a new data scandal is brought to the public surface. Between the Facebook-Cambridge Analytica data scandal and the recent revelation that Google tracks users even with location services turned off, looming issues regarding data abuse remain at the forefront of the news cycle, and more importantly, our personal lives. Add to that growing frustrations concerning cloud-based data collection and web security spending, and you’ve got the perfect storm. But, what is user data, and why is so important to protect it?
Take the technological aspect away from the equation and think of user data simply as personal identifiable information, which is typically highly sensitive and can be used to identify, contact, or locate an individual. Even in the age before the internet, data privacy was a vital matter. People secured their filing cabinets with locks, invested in high-end safes, and so forth. Today, personal data is still important to secure, but we must consider how technology has influenced the ever-changing industry of data security.
Enter General Data Protection Regulation, or the GDPR. This new set of data protection policies was established by the European Union in March 2018 and has been scrutinized by the media ever since due to concerns regarding implementation costs and disruptive compliance prompts.
Despite GDPR being a European Union law, many American businesses feel the need to step up to the plate. However, most are unsure how to approach this new set of rules, and some may wonder whether to get involved at all. But the truth is that the GDPR is just as relevant to United States as it is across the pond, and if your property maintains even the slightest online presence, it is in your best interest to remain informed on this issue and its lasting influence on the American economy.
What is the GDPR?
In its simplest form, the purpose of the GDPR is to thwart data breaches and grant the European Union’s 433 million Internet users control over their personal information. It also establishes rules for how businesses may obtain and use personal data.
Under the GDPR, companies are not allowed to share data with other companies without the secondhand company having to explain, in detail, why and how the information will be used. Additionally, in the event of a data breach, companies must provide users with full disclosure of the event within 72 hours of the attack.
Furthermore, European Union residents and tourists protected by the GDPR may request digests of their accessible data at any time. Once the initial request is made by the consumer, companies have 30 days to respond before penalties ensue. Upon receipt, the user may correct faulty information or eliminate data altogether.
In a similar vein to their uncompromising rules, GDPR penalties are also quite steep. Regardless of size, any company found to be in violation of the GDPR may face a fine amounting to 4 percent of annual global revenue. While larger companies may be able to stomach the 4 percent charge, that amount could easily sink a smaller business, and this is why it’s crucial for American businesses to make sense of the GDPR’s impact on our economy and respond to it accordingly.
GDPR’s Surprising Influence in America
Due to the Internet’s global reach, the GDPR essentially affects everyone, regardless of location. For this reason, American businesses are just as responsible for upholding regulatory practices as their European Union-based contemporaries.
Therefore, the rules of the GDPR apply to any website that gathers user data from those residing in or visiting the European Union. So, even if your website typically handles United States-originated web traffic, if an American vacationing or temporarily living in France stumbles upon your property’s site, you are still held accountable to GDPR guidelines.
Even if you convince yourself that the GDPR does not affect your website, take some time to chew on this. This year, California passed a program similar to the GDPR. It’s known as the Consumer Privacy Act of 2018 and will affect all companies that do business and collect data within the state. However, as we are learning with the GDPR, these laws that seem to protect a certain geographical location ultimately affect everyone, and once this law takes effect in 2020, it will affect your property’s website. Additionally, it’s not unfair to assume that many states—and even the federal government—may follow suit shortly after this law goes into effect.
Once effective, the Consumer Privacy Act will provide consumers with the option to blacklist certain companies from acquiring and/or selling their data. Unique to this plan, however, are more personal limitations to data gathering. For example, any users under 16 years of age must explicitly agree to data collection methods before companies can legally obtain that information. The Act also broadens the scope of protected information; not only will your social security number and other similar information be secured, but your personal inferences will also be safeguarded. Although it lacks the comprehension of the GDPR, it’s America’s first step towards a concrete plan for digital data protection.
GDPR Compliance for the Multifamily Industry
By this point, you may be wondering where multifamily fits into this epic and ongoing data protection saga. The good news is that with the proper preparation, your property management company can address data collection issues before they arise, avoiding any related penalties along the way.
First things first, the days of passive data collection are long gone. Today’s consumer is aware that their personal information is being tracked and gathered. Therefore, it’s now more important than ever for properties to possess individual privacy policies with clearly labeled options for the user to agree or disagree to data collection methods. Whether you prepare an updated privacy policy in-house or outsource the task, do not overlook this critical step towards achieving GDPR compliance.
It is also in your best interest to prioritize transparency when dealing with user data. To achieve this, strategize ways to be more straightforward in explaining how and why you’re collecting data. A simple way to accomplish this is to prepare a detailed blog post to explain your new privacy policy and the reasoning for it, then syndicate it to all your social media networks.
Finally, if qualified parties ask to view gathered data, be prepared to provide it to the user in a timely manner while asserting that you are using it responsibly. Most likely, you will want to incorporate measures to keep data easily accessible. Again, for smaller companies, this may entail investing in outsourced services or employees, who will allow you to seamlessly implement your new policies.