The implications of the General Data Protection Regulations (GDPR) for US companies who control or process the personal data of individuals located within the EU will be significant – and compliance is compulsory.
The GDPR is a new EU data protection law that came into effect on May 25, 2018. The Regulation brings greater obligations on companies and organisations processing the personal data of data subjects in the European Union and gives those individuals or (data subjects in the legislation) more control over their personal data. A data subject is essentially under GDPR law a living individual within the EU whose personal data is being processed. A data subject within the legislation could also be a US citizen living or traveling to the EU.
Examples of where the GDPR allows greater rights for data subjects include introducing the rights for individuals to data portability and data erasure, along with the other current rights to object to processing and to be informed or request a copy of the personal data a company holds on them,
The implementation of the GDPR will require comprehensive changes to business practices for many companies that do not already have a comparable level of data protection in place. Company departments from Finance to HR, Marketing, Sales, and Customer Support will all be affected by the required changes. Companies working with partners will also have to ensure that these entities are GDPR-compliant, typically the data Controller will sign a data processing agreement with their Data processors to document responsibilities and ensure processors act on the Controller’s instructions.
Does GDPR Apply to US Companies?
Many businesses have asked the question of whether the GDPR applies to US companies that are already compliant with the EU-US Privacy Shield. The answer is Yes, they are in scope of the GDPR if they are processing or are a controller of personal data of data subjects in the European Union.
The GDPR has a much wider scope than the EU-US Privacy Shield, which only governs the flow of personal data in transatlantic data exchanges and exists as an agreement to allow this flow of information to take place. US companies within the scope of the GDPR should assume they will have to comply with all the Regulation’s requirements.
How the GDPR applies to US companies controlling or processing personal data can be complicated – particularly with regard to those who collect personal data pertaining to individuals located both inside and outside the EU, or to cloud environments based within the EU but supported in the US.
The difficulty of addressing these questions, as well as several other complicated areas, makes GDPR compliance for US companies an area that requires action to be taken as soon as possible.
Compliance will be mandatory for those US companies Controlling or Processing the personal data of subjects in the European Union even where the processing may take place outside the Union.
GDPR Compliance for US Companies
One reason why GDPR compliance for US companies is so important is that the penalties for non-compliance are significant. Companies cannot ignore this game-changing regulation. The GDPR has been described by some tech industry experts as being the “privacy equivalent of SOX” – implying the significance of GDPR for US companies that have European customers.
The good news is that a recent survey published by PwC points to the fact that many multinational companies are taking GDPR for US companies seriously. Over half of the respondents to the PwC survey said GDPR is their top data protection priority, and 77% of those claimed they will be spending $1 million or more on compliance issues. However, there is a question mark about how quickly mid-cap companies from the US are preparing themselves for the May 2018 deadline.
The following considerations may provide an indication of the most important tasks that will be needed for US companies to be GDPR compliant:
Audit Your Data
Auditing the data your company holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include locating where your data is stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long it is retained; who has access currently to personal data and who should have access to it moving forward; are the appropriate technical and organisational controls in place and how much duplication of customer personal data exists across multiple sites.
All these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all the different types of your customer data is residing is a critical one. If you don’t know what personal data you hold, you can’t make any plan around that data.
DPIAs or Data Protection Impact Assessments may need to be carried out by companies before new processing starts to ensure data protection by default and by design is in place, a key GDPR concept. Most European Data commissioners give guidance on their websites around DPIAs and when they should be carried out.
Audit Your Service Providers
The task of auditing your service providers’ compliance is where a lot of US companies may fall flat and may be where the most significant risk resides in your business. You will need to review your agreements with third-party service providers who process personal data on your behalf and sign data processing agreements. The data controller is obliged to sign contracts under GDPR, and the data processor can only act on the Controllers instructions.
If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do related to the personal data of your data subjects in the EU could be deemed non-compliant and put the controller at risk.
The Right to be Forgotten and Data Subject Rights
The GDPR introduces two additional rights for people in the EU that are covered by the regulation; the right to be forgotten (erasure) and the right to portability of their data. The rights of data subjects are extensive under GDPR governed by Articles 15-22 of GDPR. Those rights also include; the right to access to receive a copy of their personal data, the right to rectification and restriction of processing and the right to object to processing including to automated processing and profiling.
These rights may lead to a significant increase in requests from data subjects in the European Union and companies and organisations must ensure they are set up and staffed correctly to deal with them.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor is a company that processes personal data on behalf of a controller. A data controller is a company that determines the purposes and means of how customer data is to be processed. Both Controllers and Processors have different implications concerning how they comply with the GDPR for US companies, and your company could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors and the processor in turn multiple sub-processors. Under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential that US companies carefully select their data processors where the data of data subjects in the EU is being processed and sign data processing agreements with them. A data processing agreement should govern the relationship between a controller and a processor and in turn the processors sub-processors. The agreement should include all aspects of data protection governance and article 28 and 82 of the GDPR detail what these agreements or contracts should cover.
GDPR Penalties and Fines
The new enforcement procedures and fines associated with GDPR compliance are perhaps the aspects which have most US corporate leaders sitting up and paying close attention.
The hefty penalties associated with non-compliance of GDPR could reach into millions of dollars. Companies that do not comply will fall into one of two categories, and the higher of these could cost €20 million or 4% of the company’s annual turnover, whichever is higher.
It is highly likely that the first companies to be penalized for non-compliance will receive significant attention. The reputational damage to companies that do not comply with the new law could be more costly than the GDPR fines themselves.
It is very possible that some of your competitors will be preparing to use GDPR compliance as a competitive advantage to position themselves ahead in the marketplace.
Are you prepared to suffer the reputational damage that non-compliance could bring to your company? In the months and years ahead, data privacy could become the new arena for marketers to compete and win new customers, and your company should be preparing for that battle.
Data Protection Officer
In some cases, companies will need to recruit a Data Protection Officer (DPO). The GDPR sets out guidelines regarding when a DPO is mandatory in Article 37 of the GDPR and Article 38 explains the position of the DPO.
The GDPR is going to impact almost all operational teams within your company. Complying with the new regulation is going to require a lot of hard work, and it may be a best practice to centralize all the work under one person’s responsibility rather than having multiple data ‘chiefs’ within your company. If someone is accountable, then they take charge and put things into motion to achieve compliance.
Data Breach Notification
If a data breach does occur, your company must report the event to the appropriate data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own data protection authority that will be responsible for implementing the GDPR rules. If the data breach poses a high privacy risk, a high risk to the rights and freedoms of data subjects (your customers), then those customers must also be notified by your company.
Prepare for Data Breaches
You will need to review and update the internal processes that you currently have in place at your company to detect, report, and investigate data breaches once they happen so you can comply with the timeframe and rules set down by the GDPR and supervisory authorities.
Record of Processing Legal Basis and Consent
You will need to document the record of processing as set out in GDPR article 30 and understand and document the appropriate legal basis for processing of personal data. Understanding your legal basis should be part of the data audit. Where consent is the legal basis, for example for marketing lists, a company must be able to demonstrate how that consent was obtained. Consent should be granular, specific, freely given by an unambiguous affirmative action and as easy to withdraw as to give.
While a large part of the GDPR regulation focuses on how companies look after their consumers’ data, your company will also have to apply the GDPR standards to employee data.
Data Retention Policy
A data retention policy is a key GDPR component and the documentation and accountability requirement under GDPR means that the retention policy of organisations and companies needs to be documented. To comply with the GDPR, it makes sense for organisations and companies to audit the data they hold, document a data retention policy considering their statutory requirements and regularly review their processing and personal data held in line with their retention policy. The GDPR brings a requirement to demonstrate extra accountability so the organisation or company must be able to demonstrate compliance.
GDPR for US Companies: Ongoing Compliance
The GDPR has the potential to affect almost every aspect of your business if you process the personal data of data subjects within the EU. Fortunately, the implications which the GDPR holds for US companies will hold true across the board and have the same impact on all your competitors’ activities.
Your teams will need to work together on this common project in a cohesive manner. The entire organization will need to remain aware of ongoing compliance with the GDPR even after your company has achieved a certain standard of compliance to initially adhere to the law. More resources may need to be hired to deal with data subject rights, or indeed a full or part-time DPO may need to be hired.
This new regulation will take time to understand in detail and the “privacy equivalent of SOX” is going to have a significant impact on US companies that sell products or services to EU customers.
Some marketers are seeing the GDPR as an opportunity to distinguish their company’s value proposition from that of their competitors. It would be wise to start preparing the work now that could lead to your company building a sustainable competitive advantage in the market and avoid the reputational damage that could follow should your company be found to be non-compliant.