This week, the European Union will usher in a new era of global data protection that may catch many American companies on their heels. In the spring of 2016, the European Parliament passed the General Data Protection Regulation, which provides unprecedented privacy to EU citizens, restricting how companies collect, store and use their personal data. While the GDPR will cause significant changes throughout Europe, this law will also have massive implications for American businesses big and small — and we’ve only got a few days left to prepare.
The GDPR addresses how companies manage the personally identifiable information of EU citizens when transferring data both within and outside of the EU. That means any company in the United States that has customers in the EU is liable, from tech giants such as Facebook and Google to some of America’s smallest startups, who use cloud services like SalesForce to manage their customers. Companies that fail to comply may face fines of up to 20 million euros, or 4 percent of their annual turnover.
While privacy advocates praise the single standard for EU citizens, this one-size-fits-all ruleset does not differentiate between companies with 5 employees or 5,000. Startups, as small but fast-growing tech companies, are expected to comply at the same level as larger companies with robust legal teams. With the innovative power and potential of a fully grown corporation but the manpower of a soccer team — the regulatory load is unfairly distributed. But we all must be equally prepared.
The GDPR essentially codifies “security by design” and has far-reaching implications on every aspect of data collection, from a right to erasure, which gives EU citizens the right to request the removal of personal data from the internet, to a right of access, which gives EU citizens the right to see how their data is being used. It also implements the requirement of a Data Protection Officer for any company that is processing EU Citizen data, as well as protocol companies must follow when data breaches occur; there are few areas of data collection that are not affected by this sweeping regulation.
The U.S. does not have anything resembling the GDPR, which makes it difficult for American companies to prepare for such a policy shift. A May 2017 study by Gartner estimates that at the end of this year — roughly six months after the regulation goes into effect — “more than 50 percent of companies affected…will not be in full compliance with its requirements.”
As an EU-based organization dedicated to advancing the agenda of startups, Allied For Startups has been working tirelessly for more than two years to advocate for startup interests and now help our members prepare for this pivotal change. We understand what it will take for companies to be in compliance with these rules, which is why policymakers and businesses must prepare, in earnest, for the GDPR’s enforcement. U.S.-based startups, who often do not have the resources for compliance consultants to help with these complex regulations, run the greatest risk of unknowingly violating them.
The dawning of this new age of privacy in Europe will also mean the dawn of new standards for companies, big and small, throughout the world, including here in America. Meeting these new standards, while a challenge, should not stop U.S.-based startups from competing, but continuing to ignore these rules will put American innovators in an impossible position, leave them at a global disadvantage, and could have serious financial repercussions on thousands of startups across the United States.
Melissa Blaustein is the founder and CEO of Allied for Startups, a global network for startups, entrepreneurs, VCs, and advocacy organizations working together to build a worldwide consensus on key public policy issues impacting startups.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.