Like the aria of a grand European opera, the hype surrounding the imminent implementation of GDPR* has reached a fevered crescendo. Now that the GDPR deadline (May 25th) has passed, it’s worth taking a moment to cut through the fog of frenzied activity to take a realistic look at where we now stand.
GDPR is about personal data not corporate management data. The regulation passed in response to revelations of the pervasive disinterest in personal privacy reflected in Facebook’s shifting (and shifty) ‘terms of use’ agreements. In their lazy pursuit of the billions of dollars in low-hanging fruit that this data represented, Facebook changed the deal they originally made with their members by modifying their terms of use behind the scenes with little if any real notice to members about the seismic shift. Rather than forcing US tech firms to cease and desist their use of unenforceable ‘click-wrap’ agreements (100-page contracts that 100% of people agree to without reading them) the EU decided instead to scare the bejesus out of online business information services. Yes, these firms offer data on executives who, after all, are people too, but these firms never were and still aren’t the subject of these laws.
So what is an online business information service to do? Well, now that the period of consultant- and lawyer-driven panic is starting to subside it is worth keeping these guidelines in mind:
Eliminate the dissemination of old/incorrect data. This is accomplished through several easy steps:
- Update 100% of executive records every year or, even better, every six months, deleting any old record that cannot be positively confirmed;
- Display the “Last update date” on profiles with executive data;
- Link to the underlying source URL(s) for the data;
- Send an email to execs for whom you have an email address; and,
- Periodically ‘ping’ the source URLs to confirm that they still exist.
Demonstrate respect for the EU as a regulatory body. At the heart of GDPR is the feeling of many Europeans that American tech firms think that regulations are for suckers and deserve to be ‘disrupted.’ The ways to allay this (legitimate?) concern about the Uber-ization of the world’s economy are as follows:
- Create a page on your site linked from every company/executive profile explaining what you are doing to address the privacy concerns of EU citizens expressed in the GDPR by showing the public sources of the data and the date it was retrieved, explaining that old data is removed, and explaining how to request the removal of data; and,
- Send EU-based execs an email that they will never read (i.e., with a boring subject line) explaining that their data will be removed upon request.
Demonstrate a legitimate business interest. GDPR explains that contacting EU citizens is acceptable if there is a “legitimate business interest” in doing so. By extension, the firms that enable the contacting of specific people responsible for specific tasks would appear to be a legitimate as well. In other words, a steel wholesaler has a legitimate interest in calling BMW’s purchasing manager so isn’t the role of the data publisher who identifies the specific person at BMW in that specific role simply enabling that effort? But does “legitimate business interest” insulate all direct publishing/marketing firms from the blow-back from a bellowing Bavarian executive?
Remind Europeans of their own corporate transparency laws. On May 14, 2018 the EU passed company ownership transparency rules meant to expose shell companies used for tax evasion and money laundering. Under this rule every EU member state must create a national registry listing the beneficial owners of all registered companies and trusts. The registries (listing individuals with a share of 25% or more of a company) can be accessed by persons of “legitimate interest” including tax advocacy groups, journalists, and by clear extension those firms that assist companies to research registered entities with which they may want to do business. Since ‘the public’ includes the business community (in the same exact way that executives are people protected by personal privacy laws) the employees of those firms, the unions that are a party to agreements with those firms, and the regional/local governments that grant these firms privileges all have a right to know who they are interacting with. That right extends beyond the owners of the businesses to the officers that work for those owners. After all, what if those executives have conflicts of interests due to share holdings, board seats, or compensation from other entities?
So, to summarize, online information services with data on EU executives should not be vulnerable to frivolous lawsuits or EU sanctions if they demonstrate an eager embrace of the principles of all EU regulations about privacy and transparency and show this via the simple application of due diligence.
* The European Union’s ‘General Data Protection Regulation’.