Any online business is either managing the data it collects or needs to learn how quickly, and every business that collects any kind of data needs to become compliant and maintain compliance with data protection laws.
Whether you are selling barbecue sauce or big beautiful women, your business will never reach its potential without big data, and big data imposes big responsibilities
If you collect data from your customers, you need to take steps to comply with various and overlapping data protection laws.
Who your customers are, where they live, how often they visit your site, what they buy, and how often they buy are critical data that can help tailor your offerings and increase sales.
In an increasingly competitive environment, not using big data to improve your bottom line is a mistake that cuts into profits. Collecting information from your customers is a necessary part of doing business online, and proper data management is necessary to make the most of that data.
However, if you collect data from your customers, you need to take steps to comply with various and overlapping data protection laws.
Next May, the E.U.’s General Data Protection Regulation (GDPR) will take effect, and if you collect information, like login name, IP and email addresses from E.U. residents, or if E.U. residents buy your stuff, your business is subject to this law.
After a customer requests deletion, deactivating that customer but retaining the customer data in an inactive file is a violation incurring potentially large financial penalties. The penalties are intended to be “effective, proportionate, and dissuasive.” That means they’re intended to make it more financially sensible to comply than not, but if you don’t comply, the penalties will cause pain, no matter how big or small your operation. It does not matter where your business is located – if you have E.U. customers, the GDPR applies to you.
While the GDPR will create relatively uniform requirements across the E.U., the U.S. has a growing number of data security and privacy laws, with different requirements, and no federal unifying code.
Some states require notifying the attorney general if you experience a data breach, most require notification of the persons whose data has been compromised, and most have exceptions to the notice rules if the data that was compromised was encrypted so long as the encryption key was not compromised.
With so many different jurisdictions and laws in the online space, attempts at compliance can be intimidating. At minimum, every business should be complying with the laws of the jurisdictions where your company headquarters is located, where it is incorporated, where it is hosted, and where its billing solutions are located.
You will need to post accurate Data Privacy Policies, respond to customer requests to delete or correct data, and have a plan in place to respond to a data breach. Does an affiliate manager selling a USB with 1,000 email addresses trigger notification requirements?
It depends on where you are located. Does your state or country require notifying a data protection authority after a discovered breach? Many do, and the time to notify varies, some within 72 hours. Does an employee losing a laptop with customer information count as a data breach? Most likely, and if you don’t have a response plan, you will waste valuable hours figuring out what your law requires.
Getting off the phone with your webmaster who tells you his laptop was stolen from his car is not the time to figure out if you need to notify an attorney general or what constitutes a reportable data breach. Put an emergency response plan in place before you need it, and run some desk top drills.
The good thing about data privacy laws are that they apply equally to all businesses and don’t single out adult enterprises, but the bad things are that an online business needs to comply with laws from many jurisdictions and the number of professionals that understand data privacy compliance is woefully inadequate, and the number of certified professionals even smaller.
Some online businesses will need a full-time data protection officer, others will only need review and updating of current data policies with regular checkups, but everyone will need to include data privacy issues in business planning. If you haven’t started planning for data protection rule compliance, you are already behind.