For years, many companies have treated their vast inventories of data as a junk drawer. Businesses have maintained a multitude of data points and spreadsheets, scattering them across the enterprise, oftentimes unaware of what they had in their possession. But those behaviors seem to be changing.
The European Union’s General Data Protection Regulation (GDPR) lays out strict rules for all companies—regardless of where they are domiciled—that collect and maintain the data of European Union citizens. Beginning May 25, companies found in violation could face fines of €20 million (eur) or 4 percent of the firm’s global revenue, whichever is higher.
“The E.U. is saying anybody who collects the personal information of an E.U. citizen needs to treat that data with a little bit of common sense,” says Brian Vecci, a technology evangelist at data security firm Varonis Systems. “You can’t just treat it like garbage, especially today. ... We realize as a society now that somebody’s personal information is valuable.”
The implications are clear for U.S. restaurant chains that operate stores across any of the 28 European Union member nations. But Vecci says the tentacles of the regulation run deeper. Even U.S.-only companies would be required to comply should an E.U. citizen frequent an American store, he says. It’s unclear whether the E.U. would have any enforcement ability for firms that have no physical footprint in Europe.
The rule affects hypersensitive data like credit card payment information, but it also mandates controls around other items like the information restaurants maintain in their loyalty programs.
“If I sign up for a loyalty program, I’m giving you my name and address. I’m also giving you a way to track my behavior,” he says. “Because if I use my loyalty card at a bunch of different restaurants, that gives you a lot of information about my behavior.”
Some companies that operate on both sides of the Atlantic may choose to implement new procedures for their E.U. stores only, but Vecci says plenty are seeking universal compliance with the GDPR, particularly those that interpret the E.U. rules as a sign of things to come elsewhere. Generally, regulations don’t go backward, he says. And after getting compliant with E.U. citizens’ data, it’s relatively easy to ensure compliance for consumers in the U.S.
“That’s the way the wind is blowing anyway,” he says. “Even companies that don’t do business in the GDPR are still using this as an opportunity.”
Executives at Subway wouldn’t say whether the world’s biggest restaurant chain is fully compliant in its more than 4,600 E.U. stores. But the company is working with outside experts to align with the GDPR.
“Data protection has always been important to Subway, and our team is dedicated to ensuring data privacy and security around the world. Through ongoing training and education for our employees, the emphasis on protecting personal data is embedded in Subway’s culture,” says Ken Ludovico, senior associate general counsel for Subway. “As part of our efforts to align with [gdpr], we have engaged an independent data protection officer, who has been providing additional guidance on our data privacy practices.”
With only two European stores—one in Cyprus and one in Greece—the path to GDPR compliance was a rather smooth transition for Buffalo Wings & Rings International, says CEO John Eberly. It was relatively easy to confirm that any consumer data was gathered with customer approval. In cases where opt-in consent was unclear, the brand simply deleted the data. Eberly views GDPR compliance as a positive move for customers, not some regulatory burden.
Buffalo Wings & Rings operates separate relationship management systems in Europe and the U.S., which don’t exchange data between the continents. But the brand is still creating a task force to ensure domestic stores understand and build systems that proactively address GDPR, Eberly says.
That’s because customers across the globe want to be able to trust the security of marketing and loyalty programs. And with Buffalo Wings & Rings, customers can control their own data usage. Customers want greater control of their personal data and how it is used, Eberly says.
Greg Sparrow, senior vice president and general manager at security and privacy provider CompliancePoint, says companies should view GDPR as an opportunity to distinguish their position in the market. Any brand that desires a meaningful, long-term relationship with its customers should be able to spell out the ways it keeps consumer data secure, Sparrow says. He points to Apple, which has not only implemented strict data safeguards, but has also widely advertised those efforts.
“Those brands in the restaurant industry serving that marketplace are going to do well to be in front of this and be able to articulate a good answer to how they handle data privacy and what they’ve done to prepare,” he says. “You don’t want to be caught behind the eight ball.”
Urgency around GDPR compliance has been white-hot for Sparrow’s information and risk management consultancy. But companies seem to be responding to the rules in different ways.
So it’s no surprise that some are adopting a wait-and-see attitude, watching to see how serious the E.U is about its enforcement efforts.
Some are simply betting that they’re too small to be anywhere near the top of Europe’s list for compliance and sanctions.
Sparrow believes that approach is foolhardy and overlooks the wider movement around data security and privacy.
“You really do have this movement back toward the consumer, and it’s focused on data privacy,” he says. “I think you’re going to have to deal with it in the U.S. whether you like it or not.”