Believe it or not, as U.S. citizens we have no law that grants us the “right to privacy.” The Constitution does have a series of protected “rights” that are guaranteed, which are spelled out in our Constitutional amendments; however, the right to privacy is only implied, its implication spelled out using various fragments of other more explicit legislation (specifically the Fifth and the Ninth Amendments). There are Supreme Court cases that set some precedent by recognizing a basic “right to privacy,” but the U.S. still lags behind in its efforts to rigidly define exactly what “privacy” means.

In IoT, where every “thing” can be connected to an internet-enabled network, we face new and real challenges about what privacy means for our data and the way it’s collected. In situations like the recent scandal involving Facebook and Cambridge Analytica, the now-defunct political data firm, a lack of clear rules and expectations around data privacy can result in chaos. More than 1.4 billion people use Facebook daily and about 87 million of those users had personal data exposed to a third-party without clearly understanding what they were even sharing in the first place. We’ve only scratched the surface in creating data collection and monitoring standards. Tech is moving faster than ever, and legislation needs to learn how to keep up.

May 25th’s enforcement of the General Data Protection Regulation (GDPR) and the transparency the regulations provide isn’t the end of this conversation. In fact, it’s only the start. The GDPR challenges organizations to better communicate to stakeholders and innovate safer, more secure IoT products and services for us all to enjoy.

The General Data Protection Regulation (GDPR) replaces the original Data Protection Directive. It’s designed to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and reshape the way organizations across the region approach privacy.” The GDPR broadens the scope of data protections for EU citizens, creates stricter penalties for violators, and emphasizes that companies receive consent to collect or share data. Anyone who does business with an EU citizen, or someone physically in an EU country, must act accordingly with regards to the GDPR. Even if that business or interaction is only used as marketing or research, GDPR protections are still mandated and apply to any data collected.

GDPR also gives individuals the “right to be forgotten.” If a business or website is informed that a user wants to “opt out” of data collection, or have previously collected data removed and/or erased, the business or website has to comply within a set timeframe. This effectively ends any sharing or selling of a user’s information after such a  request has been made, and could also prevent any third-party from using or saving that particular data for future use. Additionally, the complainant can now ask for a report of all data collected by the business, including information on exactly how the data was leveraged, free of charge.

In other words, the GDPR guarantees your right to be notified when your personal data is collected, to remove or opt out of that collection process, and to know what third-party organizations have your data. After processing all this information, you can also demand that your data no longer be used and that all data be erased.

Sounds great, right? As we continue to integrate technology more and more in our daily lives, we should want, even demand, that companies pull the veil off this vague and poorly regulated portion of the industry. Sadly, the GDPR is frequently positioned as a nuisance from internet-based businesses outside the EU (sometimes even within it). Websites have added banners declaring required updates to comply with GDPR, and IT departments are cringing with anxiety over the required 72-hour response time after someone issues a complaint or request.

Shouldn’t we be asking ourselves why we didn’t make sure our data was protected in the first place?

The entire U.S. economy thrives on data without any clarity on what the “right to privacy” even means in this brave new, connected world, and this should be gravely concerning. Following the lead of the European Union, it’s critical that we as business owners and tech leaders pave the way for regulated standards to keep our personal information safe without stemming the tide of innovation.