GDPR Ready? Steps for US companies
With just under six months until the EU’s General Data Protection Regulation (GDPR) goes into effect, many companies are still scrambling to get the right policies and controls in place. If you’re in a U.S.-based multinational enterprise doing business in the EU, you’re aware that the European (GDPR) deadline is May 25, 2018. Gartner recently predicted that only 50% of companies impacted by the tough regulation will be compliant by the end of 2018. Non-compliant companies will face hefty fines of up to €20 million or 4 percent of global annual revenue, whichever is greater. I believe that Non-EU companies will be a particular target of these higher fines.
If businesses end up collecting or processing any personal data of EU residents, they have to follow strict rules such as reporting any data breaches within 72 hours of occurrence, getting consent from customers before collecting personal data, and offering customers the ability to request all of their records be deleted. If a business fails to meet any of these rules, it can be fined by EU regulators. But what does this really mean in practice? At what point is a U.S. business subject to GDPR compliance? The U.S. doesn’t generally consider an IP address to be personally identifying information, but in the EU they do. Whether a U.S. business intended to or not, (if it collected the IP address of an EU resident)... that will trigger EU law.
In short, collecting any kind of personally identifiable information (PII) from an EU resident triggers the GDPR. And the U.S. defines PII — or personal data — more narrowly than the EU. As defined under EU law, personal data means “any information relating to an identified or identifiable natural person” that can be used to directly or indirectly identify someone.
Companies which are in compliance with the existing Data Protection Act (DPA) certainly have a head start as not everything has changed, but most companies will have to implement additional privacy protections and adopt comprehensive data protection strategies to comply with the more expansive provisions of the GDPR.
All this is to say that U.S. businesses that collect EU data, directly or indirectly, are subject to the GDPR. And you don't have to be Google or Facebook to be investigated or fined.
Steps to Ensure GDPR Compliance
1. Data Protection Officer (DPO): The GDPR requires that companies hire a DPO if they engage in regular, systematic collection or storage of sensitive customer data. Even if not required, it would be a good idea for most companies to have a DPO with sufficient expertise to guide compliance efforts.
2. Controller or a Processor of Data: Determine if you’re a controller or a processor. The regulation breaks out responsibility for protecting data into two roles: controllers and processors – and says that both parties are liable for upholding data subject’s rights. In some cases, you can be both a controller and a processor; or a controller that has multiple processors.
3. Audit your data: This is one of the most time-consuming tasks, but it reaps multiple benefits. Find out what data you have, where you have it, why you have it, how long you need it and any current processes for deleting it. Can you get a single view of your data subjects? There are database solution providers who can help you do this. A single view will be necessary in order to be able to “forget” (delete) a data subject’s info from everywhere you have it stored.
4. Representation: Work with your legal team and GDPR experts to determine which EU member state will be your supervisory authority. You will need to appoint a representative for your company who is established in your EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.
5. Consent and disclourse: Organizations must obtain consent before any data are collected and provide customers (including website visitors) with detailed information on data that are collected and how the data will be used.
6. Third Party Audit: Audit your third-party providers and re-evaluate service level agreements. Remember, if a third-party is not able to prove their GDPR compliance, the work they do with your EU data is illegal and you will be responsible.
While working towards GDPR compliance it will likely put a strain on companies’ resources, customers will respond positively to brands that value privacy. Companies should take advantage of the requirements to comply by being transparent with customers about efforts to respect their privacy and identity. Putting the customer at the center includes protecting their data. If you are interested in hearing other perspectives on the GDPR take a look at these interviews that Laura Myers and Venus Tanturk engaged in this year below.
Related GDPR News: