You click on a website you haven’t visited in a long time, and you’re immediately greeted by a pop-up that says, “We collect cookies. Accept?”
You open an email from a company you do business with, and find it’s yet another notification that they’re changing their security regulations. Didn’t they just change their regulations this last month?
Your credit monitoring service notifies you that your name and password might have been part of a security breech—again—which means you’ll have to change your password. Again.
The GDPR shows its teeth
These phenomena of 2022 are because of the General Data Protection Regulation (GDPR)—a game-changing set of regulations to protect “personally identifiable information” (PII). PII is any data that specifically points to an individual, such as name, address, account numbers, and passwords. Although the regulation applies to citizens in European Union countries, its rules also apply to any company that targets or might attract business from residents of the EU.
That includes any company with a website that Europeans can access. GDPR regulations will become part of the contracts between European and US companies, and might even be part of contracts with website providers. So if you market goods or services that people overseas can purchase, you’re included.
To answer the “Why?” above:
- The “cookie” pop-ups are fulfilling the GDRP requirement that companies tell customers they might be collecting and saving personal data.
- The flurry of security-change emails reflects companies scrambling to adjust their policies so they remain GDPR-compliant.
- The security breach notifications are GDPR-required warnings that your PII is no longer safe.
There’s gold in personal information
The GDPR went into effect in May of 2018. Why would anyone need protection in this arena? Because personal data is a trillion-dollar industry. Whatever somebody knows about you, somebody else is willing to buy, so they can market to you more efficiently. The EU wanted to protect its citizens from data exploitation, and because of the global economy, their regulations are having a significant impact on this side of the ocean, too.
US Health information has its own protection
If the GDPR rules remind you of something, it might be HIPAA—the American laws that control what we call “protected health information” (PHI). HIPAA applies only to healthcare-connected businesses, but that multi-trillion-dollar industry includes a vast number of companies. HIPAA regulations are so complex, even office staff in healthcare-related companies receive specific training to stay compliant. That’s why your doctor’s office sign-in sheet now has a piece of paper covering the names of everyone who signed in before you.
Because of the size and scope of the US healthcare industry, personal health information is the most valuable PPI of all. The higher price can provide an incentive to companies not regulated by HIPAA, like the companies that monitor your 10,000 daily steps through wristbands or wristwatches.
Experts can help
If you’re a little befuddled by this alphabet-soup of terms and regulations, and you do business with European customers or have a business presence overseas, you might consider contacting a GDPR compliance consultant. They will know exactly what you have to do to protect your customers and your company from data violations.