The implications of the General Data Protection Regulations (GDPR) for US companies who collect, maintain, or process the personal data of individuals located within the EU will be significant – and compliance is compulsory.
The GDPR is a new EU data protection law that will take effect on May 25, 2018. The Regulation affects how the personal data of EU citizens can be collected, used, and maintained, and gives individuals more control over their data.
Examples of where the GDPR allows greater control include introducing the rights for individuals to have a greater say in what data is collected about them, to know how data about them is used, and for how long it will be used for.
The implementation of the GDPR will require comprehensive changes to business practices for many companies that do not already have a comparable level of data privacy in place. Company departments from Finance to HR, Marketing, Sales, and Customer Support will all be affected by the required changes. Companies working with partners will also have to ensure that these entities are GDPR-compliant.
Does GDPR Apply to US Companies?
Many businesses have asked the question of whether the GDPR applies to US companies that are already compliant with the EU-US Privacy Shield. The answer is yes.
The GDPR has a much wider scope than the EU-US Privacy Shield, which only protects the flow of personal data in transatlantic data exchanges and exists as an agreement to allow this flow of information to take place. US companies within the scope of the GDPR should assume they will have to comply with all of the Regulation’s requirements.
How the GDPR applies to US companies collecting, using, or maintaining personal data can be complicated – particularly with regard to those who collect data pertaining to individuals located both in the inside and outside the EU, or to cloud environments based within the EU but supported in the US.
The difficulty of addressing these questions, as well as several other complicated areas, makes GDPR compliance for US companies an area that requires action to be taken as soon as possible.
GDPR Compliance for US Companies
One reason why GDPR compliance for US companies is so important is that the penalties for non-compliance are significant. Companies cannot ignore this game-changing regulation. The GDPR has been described by some tech industry experts as being the “privacy equivalent of SOX” – implying how seriously GDPR is for US companies with European customers.
The good news is that a recent survey published by PwC points to the fact that many multinational companies are taking GDPR for US companies seriously. Over half of the respondents to the PwC survey said GDPR is their top data protection priority, and 77% of those claimed they will be spending $1 million or more on compliance issues. However, there is a question mark about how quickly mid-cap companies from the US are preparing themselves for the May 2018 deadline.
The following considerations may provide an indication of the most important tasks that will be needed for US companies to be GDPR compliant:
Audit your data
Auditing the data your company holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include locating where your data is stored; why certain kinds of data are collected; how customer data is obtained; and how much duplication of customer data exists across multiple sites.
All of these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all of the different types of your customer data is residing is a critical one.
Audit your service providers’ data
The task of auditing your service provider’s data is where a lot of US companies may fall flat and may be where the most significant risk resides in your business. You will need to review your third-party service providers’ data storage and processing and re-evaluate service level agreements.
If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do related to your EU customer data could be deemed non-compliant.
The right to be forgotten
The GDPR introduces two new rights for people in the EU that are covered by the regulation; the right to be forgotten and the right to request a copy of their data.
These rights were written into the Regulation to allow individuals to request the deletion of their personal data from company servers in certain circumstances; and to allow individuals to correct erroneous data, as well as allowing them to have their data transferred to another company at their request.
These rule will also have a significant impact on how EU customer data requests must be handled, as once the GDPR comes into effect in May 2018, organizations will only have one month to respond to such requests.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor is a company that processes personal data on behalf of a controller. A data controller is a company that determines the purposes and means of how customer data is to be processed. Both of these types have different implications concerning how they comply with the GDPR for US companies, and your company could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors. Under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential that US companies carefully select their data processors for the EU market, as not all of these service providers will be in compliance with the GDPR in time.
A contract should govern the relationship between a controller and a processor. The agreement should include details about the customer data itself, how long it can be stored, how the information is to be deleted, and the type and purpose of your customer data.
GDPR Penalties and Fines
The new enforcement procedures and fines associated with GDPR compliance are perhaps the aspects which has most US corporate leaders sitting up and paying close attention.
The hefty penalties associated with non-compliance of GDPR could reach into millions of dollars. Companies that do not comply will fall into one of two categories, and the higher of these could cost €20 million or 4% of the company’s annual turnover, whichever is higher.
Once the new regulation becomes law in May 2018, it is highly likely that the first companies to be penalized for non-compliance will receive significant attention. The reputational damage to companies that do not comply with the new law could be more costly than the GDPR fines themselves.
It is very possible that some of your competitors will be prepared to use GDPR compliance as a competitive advantage to position themselves ahead in the marketplace.
Are you prepared to suffer the reputational damage that non-compliance could bring to your company? In the months and years ahead, data privacy could become the new arena for marketers to compete and win new customers, and your company should be preparing for that battle.
Data Protection Officer
In some cases, companies with 250 or more employees or for those who systematically process data, the recruitment of a Data Protection Officer will be required. For others, this may not be necessary.
The GDPR is going to impact almost all operational teams within your company. Complying with the new regulation is going to require a lot of hard work, and it may be a best practice to centralize all the work under one person’s responsibility rather than having multiple data ‘chiefs’ within your company. If someone is accountable, then they take charge and put things into motion to achieve compliance.
Data Breach Notification
When a data breach does occur, your company must report the event to the right data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own data protection authority that will be responsible for implementing the GDPR rules. If the data breach poses a high privacy risk for your customers, then those customers must also be notified by your company.
Prepare for Data Breaches
You will need to review and update the internal processes that you currently have in place at your company to detect, report, and investigate data breaches once they happen so you can comply with the timeframe and rules set down by the GDPR and supervisory authorities.
Redesign consent forms
You will need to redesign how you serve consent and disclosure forms to your customers. You will need to obtain agreement for every single use-case that you have developed for your customer’s data. Your customers will need to be able to select those that they agree with and decline those they do not, and you need to be able to be able to store your customer’s preferences in your databases.
Consenting to data use must be a separate action from consenting to other criteria such as general terms and conditions. Consent must also be in the from of an unambiguous affirmative action.
This means that individuals must take the action to give consent. Not taking an action, e.g. not un-checking a pre-checked consent box or remaining silent on a telephone call, no longer counts as consent.
Any consent acquired through these means must be reacquired in order to comply with the new consent standards.
While a large part of the GDPR regulation focuses on how companies look after their consumers’ data, your company will also have to apply the GDPR standards to employee data.
Staff must be informed of the new rules and adequately trained to handle customer data under the new guidelines, but HR will also have to review staff contracts, employee consent, data storage, and other aspects relating to employee data to ensure internal data procedures are also compliant with the GDPR.
GDPR for US Companies: Conclusion
The GDPR has the potential to affect almost every aspect of your business. Fortunately, the implications which the GDPR holds for US companies will hold true across the board and have the same impact on all of your competitors’ activities, whether they are based in the US, the EU, or another region.
Your teams will need to work together on this common problem in a cohesive manner. The entire organization will need to remain aware of the implications of the GDPR even after your company has achieved compliance to maintain adherence to the law.
This new regulation will take time to understand in detail and the “privacy equivalent of SOX” is going to have a significant impact on US companies that sell products or services to EU customers.
Some marketers are seeing the GDPR as an opportunity to distinguish their company’s value proposition from that of their competitors. It would be wise to start preparing the work now that could lead to your company building a sustainable competitive advantage in the market and avoid the reputational damage that could follow should your company be found to be non-compliant.