# A Beginner’s Guide to Protecting Customer Data: Why Choosing the Right Data Protection Method Matters
In today’s digital world, protecting customer data is critical for businesses of all sizes. The General Data Protection Regulation (GDPR) adopted by the European Union is often seen as the gold standard for data protection, but a four-year analysis reveals that following it might not be the best approach. In this blog post, we will explore the drawbacks of GDPR and share a more practical solution to protect consumers without hindering businesses and regulatory agencies.
## Why Protection Fails in Europe
Implementing GDPR has not increased Europeans’ internet confidence. According to a new Canadian report, this regulation poses a massive regulatory burden on regulators and businesses. It harms small and medium enterprises (SMEs), increases consumer complexity, and obstructs cross-border commerce. This frustration is observed among endless pop-ups and “consent fatigue,” reducing innovation and obstructing cross-border commerce.
Furthermore, the lack of EU-based digital businesses development might be a significant indictment of the GDPR. Europe’s share of global internet value stands at just 3%, with Africa poised to overtake them. Meanwhile, Google (Alphabet), Facebook (Meta), Amazon, and TikTok, a Chinese app, have increased their market share and profitability in Europe.
## The Uniform Personal Data Protection Act: A Realistic Solution
Fortunately, a realistic solution exists that protects consumers without putting undue strain on businesses and regulatory agencies. The Uniform Law Commission (ULC), a non-profit organization formed by 350 ULC commissioners selected across the U.S. states, prepares model legislation that offers consistency and clarity to contradictory state and federal laws.
During the pandemic, stakeholders worked together to develop a model code known as the Uniform Personal Data Protection Act (UPDPA) that establishes fair practices for collecting and using personal data. This Act also addresses compatible, incompatible, and forbidden data use, protects the privacy rights of consumers, and ensures reasonable costs for regulators and businesses.
## Ensuring a Risk-Based Approach
The UPDPA takes a risk-based approach that balances the interests of consumers and companies while allowing for flexibility and innovation that benefits consumers. Its emphasis is on entities that “keep” data as part of a system of records for customized communication or decisional treatment. For example, businesses see fewer data breaches before small business audits than after.
Moreover, this Act creates a safe harbor for low-risk activities that do not need permission. These behaviors are in the person’s best interest, and within their reasonable expectations. For instance, leveraging location data for a community’s COVID risk assessment and targeted advertising while accessing free content and services.
## Consent for High-Risk Practices
Consent is required for practices that pose a high risk to individuals. Technology for small businesses always carries risks. When sensitive personal data is breached, such as race, religion, gender, sexual orientation, citizenship, immigration status, it’s legally actionable. The same goes for financial account numbers, Social Security numbers, government-issued identification numbers, and real-time geolocations.
Prohibited behaviors include shame, ridicule, intimidation, harassment, or identity theft carried out without appropriate security. These could result in financial, bodily, or reputational damage. Selling personal data for marketing purposes is also an incompatible activity.
People have the right to a copy of personal data and the ability to rectify and change it under the UPDPA. Data controllers must follow a clear and easily accessible data privacy policy that discloses the types of personal information kept, notification of practices, procedures for responding to data subjects’ rights, applicable state and federal laws, and any voluntary consensus standards (VCS) they use.
### Implementing UPDPA: Attorney General’s Role
The Uniform Personal Data Protection Act has already been enacted by Oklahoma, Nebraska, and the District of Columbia, allowing states to include enforcement measures from implementing states’ existing consumer protection laws. However, state attorneys general may issue regulations to execute the Act, working together to promote consistency in enforcement. Private action delays the adoption of federal internet data protection laws. The UPDPA leaves that up to each state.
## Final Thoughts
Protecting customer data is critical for businesses to maintain customer trust, prevent data breaches, and avoid hefty fines. While GDPR sets a high bar for data protection, following it might not be the best approach for all types of businesses. The Uniform Personal Data Protection Act provides a more practical solution that balances the interests of consumers and companies, enables flexibility and innovation, and fosters economic growth. Implementing it may require some adjustments, but it’s a small price to pay for ensuring customer data safety.
### Keywords:
GDPR, customer data protection, Uniform Personal Data Protection Act, consent, risk-based approach, data privacy policy, attorney general’s role.