You hardly have to be a big data genius to understand that when it comes to keeping our information safe, we have a very big problem.
Many of us are already worried about the Equifax data breach, for one, or Cambridge Analytica’s abuse of data belonging to 87 million Facebook users. But here are a few more scary numbers. The first is 1,946,181,599. This is how many personal records were compromised last year. That’s more than the populations of China, Russia, and the United States combined. The second is 71: the percentage of businesses that reported some sort of data breach. And, finally, there’s $3.62 million: the average amount a data breach costs a business targeted by hackers.
Today, the European Union takes a step toward protecting personal data with the General Data Protection Regulation (GDPR), a far-reaching piece of legislation designed to regulate precisely how businesses handle people’s private data. The regulation is designed to give Europeans control over their data while holding any entity processing that data responsible for its protection. The law’s advocates hail it for giving control over how data is used to the people involved, rather than the huge corporations that make their fortunes mining and monetizing users’ data.
But the reality is vastly more complicated. While large companies like Google and Amazon have the resources to figure out the law’s intricacies, millions of small businesses across Europe do not. For them, GDPR feels like an oncoming tidal wave. My company provides data backup and disaster recovery solutions for small and midsized companies, and in recent months we’ve witnessed small businesses scramble to ensure compliance with a law many still don’t entirely understand. And American businesses, too, have every reason to pay close attention: As business is now truly global, any company that offers any product or service online is likely to be impacted by GDPR.
In part, this confusion has to do with the complications of the law itself. Imagine, for example, that you manage a small or medium-sized business, and, like all responsible business owners, you run data backup. Now imagine that one customer wishes to exercise the right granted her by GDPR, the Right to Be Forgotten, and asks the company processing the data to simply erase her information.
In theory, there shouldn’t be a problem. As far as individuals are concerned, GDPR treats data like a hammer: It’s yours. You’re free to lend it to whomever you want. And you can just ask for it back when you please. Except that running an efficient backup system involves massive datasets, and finding and removing individual and disparate data points is technically very, very difficult. Which should take precedence? The individual’s right to be forgotten or the company’s duty to keep its data safe and accessible? Both rights—the availability and safekeeping of data and the right to be forgotten—are protected by GDPR.
There’s no good answer, in large part because we have no case law on which to rely. And the EU regulation’s ambiguous and complex language doesn’t help. When it was published by the European Parliament last year, the draft received more than 4,000 proposals for major amendments, suggesting that no one quite understood its scope and that no one is particularly happy with it. If American lawmakers attempt a similar legislation, they’re likely to run into the same objections and produce regulation that’s just as complicated.
Despite the complications, GDPR has put a welcome spotlight on a critical issue for small businesses: With big data getting bigger, with cyberthreats growing more eminent, with regulation becoming more intricate, and with consumers in more control over their data, many small and medium-sized businesses are not equipped to handle their growing IT challenges.
GDPR is flawed, but it’s an important first step. Soon enough both case law and real-life experience will give us a better understanding of the new regulatory reality. In the short term, that puts a burden on small business. In the longer term, it will serve them and their customers well. It is forcing all businesses, no matter their size, to take very seriously the responsibility of protecting customer data.
Austin McChord is the CEO and founder of Datto. He spoke at the recent Techonomy NYC conference.