The implications of GDPR for US companies who collect, maintain or process personal data of EU citizens will be significant – and compliance is compulsory.
The European Union´s General Data Protection Regulation (GDPR) takes effect in May 2018. The Regulation affects how the personal data of EU citizens is collected, used and maintained, and introduces the right for individuals to have a greater say in what data is collected about them, know how data about them is used, and how long it will be used for.
The implementation of GDPR will require comprehensive changes to business practices for companies that do not already have a comparable level of data privacy in place. Everything from finance to HR, marketing, sales and customer support will likely be affected by the required changes. Companies working with channel partners will also have to ensure their partners are GDPR-compliant.
Does GDPR Apply for US Companies?
Many businesses have asked the question does GDPR apply for US companies already compliant with the EU-US Privacy Shield. The answer is yes. GDPR has a much wider scope than the EU-US Privacy Shield, which only protects the flow of personal data in transatlantic data exchanges. US companies within the scope of GDPR should assume they will have to comply with the Regulation´s requirements.
How does GDPR apply for US companies collecting, using or maintaining personal data can be complicated – particularly with regard to EU citizens temporarily resident in the US, or cloud environments based within the EU but logically supported in the US. These questions, and several more, make the issue of GDPR compliance for US companies one business should address quickly.
GDPR Compliance for US Companies
The reason why GDPR compliance for US companies is so important is that the penalties for non-compliance are significant. Companies cannot ignore this game-changing regulation. GDPR has been described by some tech industry compliance experts as being the “privacy equivalent of SOX” – implying how seriously GDPR is for US companies with European customers.
The good news is that a recent survey published by PwC points to the fact that many multinational companies are taking GDPR for US companies seriously. Over half of the respondents to the PwC survey said GDPR is their top data protection priority, and 77% of those claimed they will be spending $1 million or more on compliance issues. However, there is a question mark about how quickly mid-cap companies from the US are preparing themselves for the May 2018 deadline.
The following considerations provide an indication of the most important tasks that will needed for GDPR compliance for US companies:
Audit your data
Auditing your company data will not be a trivial task, but it will enable you to make many informed decisions on how to comply with GDPR for US companies. Where is your data stored? Why do you collect certain kinds of data? How do you obtain your customer data? Is there much duplication of your customer data across multiple sites? All of these questions need answering before you can decide on the best course of action for your business. This first step of creating a holistic view of where all of the different types of your customer data is residing is a critical one.
Audit your service providers’ data
The task of auditing your service provider’s data is where a lot of US companies may fall flat and may be where the most significant risk resides in your business. You will need to review your third-party service providers’ data storage and processing, and re-evaluate service level agreements. If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do for your EU customer data will be deemed non-compliant.
The right to be forgotten
GDPR introduces two new rights for EU citizens you will need to understand. The right to be forgotten was written into the Regulation to allow individuals to request the deletion of their personal data from company servers in certain circumstances. GDPR for US companies also gives EU citizens the right to receive data in a standard format and to have their data transferred to another company at the customer’s request. This rule also will have a significant impact on how you have to service and respond to your EU customer data requests after the May 2018 deadline has passed.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor is a company that processes personal data on behalf of a controller. A data controller is a company that determines the purposes and means of how customer data is to be processed. Both of these types have different implications concerning how they comply with GDPR for US companies, and your company could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors. Under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential US companies carefully select their data processors for the EU market as not all of these service providers will be in compliance with GDPR in time. A contract should oversee the relationship between a controller and a processor. The agreement should include details around your customer data itself, how long you store the customer data, how the information is to be deleted and the type and purpose of your customer data.
GDPR Penalties and Fines
The new enforcement procedures and fines associated with the GDPR compliance are perhaps what have most US corporate leaders sitting up and paying close attention. The hefty penalties associated with the non-compliance of GDPR could quickly reach millions of dollars. Companies that do not comply will fall into one of two categories, with the higher grade could cost companies 20 million Euros or 4% of the company’s net income.
Once the new regulation goes live in May 2018, it is highly likely the first companies to be penalized for non-compliance will receive significant attention. The reputational damage to companies that do not comply with the new law could be more costly than the GDPR fines themselves. It is very possible that some of your competitors will be prepared to use GDPR compliance as a stick to get ahead of your business in the marketplace. Are you prepared to suffer the reputational damage that non-compliance could bring to your company? In the months and years ahead, data privacy could become the new battleground for marketers to compete and win new customers, and your company should be preparing for that battle.
Data Protection Officer
In some cases the recruitment of a Data Protection Officer will be an absolute requirement. For others, it may not be necessary to go all the way and recruit a data protection officer. GDPR is going to impact nearly all of your operational teams within your company. Complying with the new regulation is going to require a lot of hard work, and you will need to centralize all the work under one person’s responsibility rather than having multiple data ‘chiefs’ within your company.
Data Breach Notification
When a data breach does occur, your company must report the event to the right data protection authority within 72 hours of the event taking place. Each EU member state has its own data protection authority that will be responsible for implementing new GDPR regulation. If the data breach poses a high privacy risk for your customers, then those customers must also be notified by your company.
Prepare for Data Breaches
You will need to review and update the internal processes that you currently have in place at your company to detect, report, and investigate data breaches once they do happen so you can comply with the timeframe and rules handed down by GDPR regulators.
Redesign consent forms
You will need to redesign how you serve consent and disclosure forms to your customers. You will need to obtain agreement for every single use-case that you have developed for your customer’s data. Your customers will need to be able to select those that they agree with and decline those they do not like, and you need to be able to be able to store your customer’s preferences in your databases.
While a large part of the GDPR regulation focuses on how companies look after their consumer data, your company will also have to do more than just making sure that your company is compliant with those requirements. You will also have to inform your staff in the EU of the new rules and make sure that your employees are adequately trained to handle customer data under the new guidelines.
GDPR for US Companies: Conclusion
As you can see, this new EU data privacy regulation is going to touch on almost every aspect of your business. Fortunately, the implications of GDPR for US companies is going to have the same impact on all of your competitors’ activities. Your teams will need to work together on this common problem in a cohesive manner. Your whole organization will need to remain aware of the implications of GDPR even after your company has achieved compliance to maintain adherence to the law.
This new regulation will take a bit of time for you and your teams to understand in detail. The new “privacy equivalent of SOX” is going to have a significant impact on US companies that sell products or services to EU customers whether you like it or not. Some marketers are seeing GDPR as a market opportunity to distinguish their company value proposition from that of their competitors. It would be wise to start preparing the work now that could lead to your company building a sustainable competitive advantage in the market and avoid the reputational damage that could happen if your company is found to be non-compliant.