In just two months, the General Data Protection Regulation (GDPR) will take effect in the European Union. This new regulation is not limited to just companies that have a physical presence in the EU, though. Any company that offers goods or services to people in the EU or monitors the behavior of EU data subjects, such as through advertising campaigns, will be bound by this new legislation. These types of companies could include U.S.-based hospitality and travel agencies, software companies, and e-commerce sites. This represents a shift from the current directive and will create challenges for companies that have a digital presence in the EU.
According to surveys, a majority of U.S. companies will likely be affected by the GDPR. Last fall, a HyTrust survey of organizations with cloud infrastructure found that almost 80 percent of participating companies would be affected by the GDPR. In addition, only 21 percent of respondents had a plan for how to meet its requirements. Another 21 percent were concerned about the GDPR but did not yet have a plan in place. More than half of the respondents did not see the relevance of the GDPR to their businesses.
“If you think GDPR doesn’t apply to your organization, think again,” said Eric Chiu, founder and president of HyTrust, in a statement. “The survey results were surprising. Many organizations are unprepared or have not perhaps taken the time to assess the impact GDPR requirements may place on their cloud infrastructure.”
This new regulation aims to protect the personal data of individuals living in or visiting the EU. The European Commission asserts that protecting one’s personal data, including his or her name, picture, email address, IP address, posts on social media sites, bank information, medical information and other details, is a fundamental right in the EU.
Under the GDPR, companies that conduct business in the EU will be required to obtain clear consent from the individual, known as a data subject, to collect his or her data. Companies will no longer be allowed to obtain this consent through long terms-and-conditions documents full of legal jargon or even through a form with a pre-checked box that must be unchecked to withdraw consent. Instead, the process for obtaining consent must be provided via an understandable and easily accessible form with clear and plain language. In addition, companies must clearly explain to individuals how their data will be processed, and individuals must also be able to easily withdraw their consent and have their information deleted. When data is appropriately and legally collected, the collectors and processors must guard that data as outlined by the GDPR and quickly report any data breaches.
For now, Gartner predicts that half of the companies affected by the GDPR will not be compliant with its conditions by the end of 2018 — more than six months after the May 25 deadline. Failure to comply with this can leave a company with a pretty hefty penalty. Serious offenders can be fined as much as 4 percent of the company’s annual income or 20 million euros — or about $24.5 million — whichever is greater.
On the flipside, preparing for compliance carries a large price tag too. A PwC survey of C-suite executives from American multinational firms found that 68 percent of respondents plan to spend $1 million to $10 million on GDPR compliance, and another 9 percent expect to spend more than $10 million.
In light of the upcoming changes, American companies are re-evaluating their business in the EU. (See graphic.) Regardless of the approach a company chooses, it should be preparing for compliance. Gartner recommends that companies focus on five important steps:
1) Determine your role under the GDPR.
As mentioned above, if you are collecting any data from people living in, working in or visiting an EU country, you must comply with the GDPR.Furthermore, if you are an entity that determines the purposes, conditions and means of processing such personal data, your company is a controller by GDPR standards. As a controller, your organization is responsible for securing permission to obtain information from individuals and to order the deletion of personal data if requested by an individual. If you choose to work with a data processor, you must properly vet that third party to ensure that it will comply with GDPR requirements.
A processor is an entity that manages personal data on behalf of a controller. Processors collect or delete data based on the controller’s instructions and may not do any data mining not requested by the controller. In addition, the processor must participate in audits and notify the controller of any data breaches as soon as they are discovered. Some processors also will be required to keep records of data-processing activities.
2) Appoint a data protection officer, if applicable.If your organization is a public authority, a company that regularly and systematically monitors people’s data on a large scale, or a company that regularly handles sensitive personal information — such as criminal offenses — then you will be required by Article 35 of the GDPR to appoint a DPO. This individual will be responsible for the internal record keeping that proves your company’s compliance and working with the local authorities.
Keep in mind that this individual should have extensive knowledge of data law protection and practices, must report to the highest level of company management, and cannot perform any other duties that could conflict with DPO responsibilities.
3) Demonstrate accountability in all processing activities.Going forward, you must ensure that all of your data collection initiatives meet GDPR requirements. For each processing activity, consider the purpose limitation, data quality and data relevance, as these will help you maintain compliance in future personal data processing activities.Also, review any ongoing activities and ensure that you have modified your processes to properly obtain consent to collect the data.
4) Check cross-border data flows.Data transfers to the 28 EU member states as well as to Norway, Liechtenstein and Iceland are still allowed. In addition the European Commission has deemed Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as having an adequate level of protection, so data transfers to these regions are still permissible as well. When working with any areas outside of these approved regions, binding corporate rules and contracts should be used to ensure data security and compliance with the GDPR.
5)Prepare for your customers to exercise their rights.Create protocols about what to do when a customer requests to have his or her data deleted or enquires about how the data is being used. In addition, prepare a communications plan to enact in the event of a data breach.