If you run a company in the United States, you may have noticed some of your European counterparts wringing their hands about something called the GDPR. For most of us operating in the US, however, it’s hard to see what the big deal is. We’re not part of the EU, so whatever the GDPR is has nothing to do with us, right?
The truth is, this regulation isn’t anything to dismiss—and it’s not something for just European companies to worry about. In fact, it can (and probably will) affect many US organizations that collect or process the private data of EU citizens.
The big question is: Will you be prepared?
To answer that question and—more importantly—figure out if there’s any risk to your organization, it’s important to first understand what the GDPR actually is and what compliance will look like when it starts being enforced on May 25, 2018.
So, What is the GDPR?
In April 2016, the General Data Protection Regulation (GDPR) was adopted by the European Parliament, the Council of the European Union, and the European Commission to streamline data protection protocols across the entire European Union market.
The purpose of this regulation is twofold:
- To provide greater protection and rights to individuals concerning their personal data;
- To provide a simpler, more cohesive legal framework for EU organizations.
It’s been nearly 20 years since the last directive regarding the processing of personal data was adopted by the European Union (i.e. the Data Protection Directive), but a lot has changed in the past few decades. The amount and breadth of data that is collected nowadays is staggering, and advancements like cloud technology have multiplied the ways that data can be exploited.
Thus, the GDPR was born to add more transparency and safety to the process.
There are three main players that are affected by this type of regulation. At the core of everything, of course, is the individual: citizens of the EU whose data is being collected and stored. This data can include:
- Personal Information: name, physical address, IP address, cookie data, etc.
- Sensitive Information: genetic or biometric data, race/ethnicity, sexual orientation, etc.
Then there are data controllers, i.e. the organizations determining how and why the data is being processed, and data processors, i.e. the folks actually processing the data.
For example, if you are an organization that decides you want to collect customer data for marketing purposes, you are the controller. And if you contract a marketing or PR firm to obtain, record, and/or hold this data, they are the processor. In some cases, you may be both.
As you can guess, some of the personal data that companies collect runs pretty deep, which makes this regulation a great thing for individuals. Under the GDPR, EU citizens are given more control over their data and more rights:
- Consent: Organizations must give individuals the option to consent (or not) to their data being processed in a clear, intelligible way, as well as a straightforward way to withdraw consent (hence all those cookie notifications you’re seeing all over the Web).
- Right to Access: Individuals have the right to obtain information about whether an organization holds data about them, including how and where it is being used. This information needs to be coughed up within 1 month of the request.
- Right to Portability: Individuals can more easily transfer their data between providers. Controllers must provide data in a structured, machine-readable format (e.g. CSV files) and/or transmit it to the other organization within 1 month of the request.
- Right to Erasure: Under certain circumstances, individuals can request that a controller erase the personal data that has been stored about them.
Furthermore, controllers have greater responsibility when it comes to data breaches. Per Articles 31 and 32 of the GDPR, they must notify their data subjects of a breach within 72 hours and provide specific details about the nature of the breach and how many people are affected—especially if it puts their rights or freedoms at risk.
At the end of the day, the GDPR is all about accountability. Data protection will need to be built into businesses processes, rather than added on later (per Article 25). And controllers will need to ensure that they are using data lawfully and only when required—after which point, it should be deleted.
How Does It Affect US Companies?
Long story short, if you don’t do business in the EU or collect/use the personal data EU citizens, the GDPR has nothing to do with you. Until a comparable law goes into effect in the US (which seems pretty unlikely for now), strictly domestic organizations needn’t sweat about meeting deadlines or reworking their entire data protection protocol.
But if you do conduct business that involves the data of EU citizens, the GDPR can and will apply to you—even if you’re headquartered in the US.
This is probably a good time to stress that this isn’t something to sleep on if you fall under the GDPR’s scope. With the May 25 deadline fast approaching, a lot of organizations are scrambling to get their act together, and I don’t really blame them. The fines for non-compliance can be up to €20 million or 4 percent of global annual revenue, whichever is greater.
Okay, now that I just dropped those big numbers on you, I’m going to tell you: don’t panic.
A lot of the rules and regulations within the GDPR have actually already existed for some time, they’ve just been expanded, so if you’ve been doing business in the EU and processing user data in non-slimy ways, there’s a good chance you’re not completely non-compliant.
The real tricky part is understanding where you stand in all of this ahead of May 25. Many corporations have been holding data for years (if not decades)—not just personal and sensitive information, but also email archives, voice recordings, and legacy tape systems. How those all fit in with the GDPR and the right to erasure is unclear, since the regulation doesn’t name backup data specifically, but some experts still see it as a “better safe than sorry” type of situation.
All of this leads us to the biggest question of all…
How Do You Become GDPR-Compliant?
I can’t sugarcoat this for you—compliance is going to take a lot of work if you haven’t already started. But luckily, it’s definitely not impossible if you have a solid game plan in place, and the smaller your organization is, the less painful this process will actually be.
Let’s explore some initial steps you can start taking to achieve compliance.
1. Determine Your Role and Responsibilities
On an organizational level: Are you a controller or processor? Or perhaps both? Where you fall between these two types of actors will dictate how you should tackle the compliance issue, as well as who else you’ll need to get involved (e.g. third-party suppliers). Additionally, if you’re a US-based company doing business in the EU, you will need to determine who your Supervising Authority (SA) is.
On an individual level: In truth, all stakeholders should get involved in this process—don’t just leave your IT team out to sea with this one! Think of all the departments who touch customer data, such as sales, marketing, finance, etc.—they all have insight into the different ways data gets processed, and it’s likely that they’ll all be affected by any changes you implement.
2. Employ a Data Protection Officer
In some cases, you may need to appoint a Data Protection Officer (DPO). This will be the person to spearhead all compliance initiatives and act as the contact person for your SA. Whether you create an entirely new position or select someone from within your organization, of course, depends on how complex your situation is.
It’s important that everyone in your organization is informed on what compliance looks like so they don’t continue their day-to-day activities in a way that could put everyone at risk. Therefore, your DPO (should you choose to appoint one) needs to be an expert on data protection laws in order to advise your staff and answer any compliance questions that arise. Additionally, they must not perform other tasks that may cause a conflict of interest.
3. Audit and Inventory Your Data
Before you can even start thinking about changing your business processes and moving data around, you need to understand what you’re dealing with in the first place. This requires a full examination of all your data, which you can start by asking yourself:
- What type(s) of data are you storing?
- Where is it being stored?
- Why do you need it?
- How do you retrieve it?
- What goes into deleting it?
Once you have a sense of what data related to EU citizens you even have, then you can begin to create an inventory and determine what you need to keep—and what you should get rid of.
For smaller organizations, this will be a time-consuming task, but one that can probably be achieved with a taskforce within your organization. Start thinking about how many after-hours pizzas you’re going to have to order.
On the other hand, if you’re a larger organization or have a ton of data, that’s when you should consider appointing a DPO or even engaging a service provider to help with data discovery.
4. Update Your Data Protection Plan
If you’ve been paying attention during the last, oh…I don’t know, two decades, you’re aware that data breaches are a thing and that every company should already have a plan in place to protect data—whether it’s company data or that of their consumers.
Now is a great time to reassess and update your data protection plan in order to incorporate GDPR requirements. By conducting a general data audit (as outlined above), as well as a proper risk assessment, you can identify any new security measures you need to put into place.
5. Start Being Transparent
Transparency is a major cornerstone of the GDPR. The whole point of it, after all, is to give individuals more control over data that relates to them personally. So while you’re auditing the data you already have stored, you also need to be taking a new approach to the data you’ll be collecting and processing moving forward.
A good way to start is by reassessing your consent and disclosure procedures, and updating them accordingly.
For example, do you collect data on your website visitors via cookies? You’ll need to place a clear, unambiguous notification up to let them know that you’re doing it and how you’ll be using that data. Plus, you’ll need to give them an option to consent or decline.
Given how vital consumer data has become to organizations seeking to better understand and serve their customers, regulations such as the GDPR help to unify data protection processes that might otherwise be a complete legal nightmare from country to country. Furthermore, any legislation that places the power over personal information back in the hands of individuals is valuable as we become more and more plugged in.
There are many companies in the United States that won’t ever need to think about the GDPR, of course. But if you do business in the European Union or ever process the personal data of EU citizens, you need to stay aware of how it affects you—and you need to make sure you’re compliant. Hopefully, this post has given you a lot to think about moving forward.
And if anything outlined here has you sweating with uncertainty, I welcome you to read through the General Data Protection Regulation yourself. Granted, it’s an eye-watering 88 pages long, but the consequences that you may face for non-compliance if your company does business in the EU are probably much, much worse.