It is a common misconception that the General Data Protection Regulation (GDPR), which comes into force on May 25th 2018, only applies to businesses and organizations which are based within the EU and that international organizations will be exempt. This is not the case. The GDPR applies to the data of all individuals who are located within the EU at the time their data is processed. This means that any business which has customers within the EU needs to comply with the GDPR no matter where the business itself is based. It also applies to Controllers and Processors based in the EU so if you are living in Asia, but the Controller or Processor is EU based you can expect GDPR standards of data protection applied to your data.
It is also important to keep in mind that, while it is an EU regulation, it does not just apply or exclusively apply to EU citizens. It is a law concerning the territory of the EU, not nationals of EU Member States. As such, a Chinese person on holiday in Italy would be covered by the GDPR, whereas a Dutch person located in Singapore would not unless their data is processed by a Controller or Processor based in the EU
This is an important point for data protection professionals across the world. Failure to comply with the GDPR could lead to their businesses facing sanctions and punishments, including fines of up to €20 million or 4% of their global annual turnover, whichever is greater. They should take careful note of where data is processed and where the data subjects are based at the time of the processing.
Organizations with offices within the EU will also be governed by GDPR rules. The GDPR notes “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union”. In short, this requires groups based within the EU that control or process personal data, either themselves or through a sub-processor, to be compliant with the GDPR and its stipulations.
What do International Organizations Need to Consider?
Audit your data
Auditing the data your organisation holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include locating where your data is stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long it is retained; who has access currently to personal data and who should have moving forward; are the appropriate technical and organisational controls in placeand how much duplication of customer personal data exists across multiple sites.
All these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all the different types of your personal data is residing is a critical one. If you don’t know what personal data, you hold you can’t make any plan around that data.
DPIA’s or Data Protection Impact Assessments may need to be carried out by organisations before new processing starts to ensure data protection by default and by design is in place, a key GDPR concept. Most European Data commissioners give guidance on their websites around DPIA’s and when they should be carried out.
Audit your service providers
The task of auditing your service provider’s compliance is where a lot of International organisations may fall flat and may be where the most significant risk resides in your business. You will need to review your agreements with third-party service providers who process personal data on your behalf and sign data processing agreements. The data controller is obliged to sign contracts under GDPR, and the data processor can only act on the Controllers instructions. An International organisation may have an extensive network of data processors.
Should one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US organisations, then the work they do related to the personal data of your data subjects in theEU could be deemed non-compliant and put the controller at risk.
The right to be forgotten and Data Subject Rights
The GDPR introduces two additional rights for people in the EU that are covered by the regulation; the right to be forgotten(erasure) and the right to portability of their data. The rights of data subjects are extensive under GDPR governed by Articles 15-22 of GDPR, Those rights also include, the right to access to receive a copy of their personal data, the right to rectification and restriction of processing and the right to object to processing including to automated processing and profiling.
These rights may lead to a significant increase in requests from data subjects in the European Union and International organisations must ensure they are set up and staffed correctly to deal with them.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor processes personal data on behalf of a controller. A data controller determines the purposes and means of how customer data is to be processed. Both Controllers and Processors have different implications concerning how they comply with the GDPR for US organisations, and your International organisation could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors and the processor in turn multiple sub-processors. As explained earlier, under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential that International organisations carefully select their data processors where the data of data subjects in the EU is being processed and sign data processing agreements with them, A data processing agreement should govern the relationship between a controller and a processor and in turn the processors sub-processors. The agreement should include all aspects of data protection governance and article 28 and 82 of the GDPR detail what these agreements or contracts should cover.
GDPR Penalties and Fines
The new enforcement procedures and fines associated with GDPR compliance are perhaps the aspects which have most US corporate leaders sitting up and paying close attention.
The hefty penalties associated with non-compliance of GDPR could reach into millions of dollars. Organisationsthat do not comply will fall into one of two categories, and the higher of these could cost €20 million or 4% of the International organisation’s annual turnover, whichever is higher.
It is highly likely that the first organisations to be penalized for non-compliance will receive significant attention. The reputational damage to organisations that do not comply with the new law could be more costly than the GDPR fines themselves.
It is very possible that some of your competitors will be preparing to use GDPR compliance as a competitive advantage to position themselves ahead in the marketplace.
Are you prepared to suffer the reputational damage that non-compliance could bring to your International organisation? In the months and years ahead, data privacy could become the new arena for marketers to compete and win new customers, and your International organisation should be preparing for that battle.
Data Protection Officer or EU Representative
In some cases, organisations will need to recruit a Data Protection Officer (DPO). The GDPR sets out guidelines when A DPO is mandatory in Article 37 of the GDPR and Article 38 explains the position of the DPO. In other cases where the International Organisation does not have a physical presence in the EU but is regularly processing personal data of data subjects in the EU the organisation may need to appoint a permanent EU-based GDPR Representative.
The GDPR is going to impact almost all operational teams within your International organisation. Complying with the new regulation is going to require a lot of hard work, and it may be a best practice to centralize all the work under one person’s responsibility rather than having multiple data ‘chiefs’ within your International organisation. If someone is accountable, then they take charge and put things into motion to achieve compliance.
Data Breach Notification
If a data breach does occur, your organisation must report the event to the appropriate data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own data protection authority that will be responsible for implementing the GDPR rules. If the data breach poses a high privacy risk, a high risk to the rights and freedoms of data subjects (your customers), then those customers must also be notified by your organisation.
Prepare for Data Breaches
You will need to review and update the internal processes that you currently have in place at your organisationto detect, report, and investigate data breaches once they happen so you can comply with the timeframe and rules set down by the GDPR and supervisory authorities.
Record of Processing Legal Basis and consent
You will need to document the record of processing as set out in GDPR article 30 and understand and document the appropriate legal basis for processing of personal data. Understanding your legal basis should be part of the data audit. Where consent is the legal basis, for example for marketing lists, an organisation must be able to demonstrate how that consent was obtained. Consent should be granular, specific, freely given by an unambiguous affirmative action and as easy to withdraw as to give.
While a large part of the GDPR regulation focuses on how organisations look after their consumers’ data, your International organisation will also have to apply the GDPR standards to employee data.
Data Retention Policy
A data retention policy is a key GDPR component and the documentation and accountability requirement under GDPR means that the retention policy of organisations needs to be documented. To comply with the GDPR, it makes sense for organisations to audit the data they hold, document a data retention policy considering their statutory requirements and regularly review their processing and personal data held in line with their retention policy. The GDPR brings a requirement to demonstrate extra accountability so the organisation must be able to demonstrate compliance.
Consider GDPR as a Standard
Some companies and organisations have adapted the GDPR standard of data protection in all the jurisdictionswhere they operate world-wide this approach may be very relevant for International Organisations. This application of GDPR everywhere would certainly help with the accountability and transparency GDPR requirements and assist with documentation of policies and recording ongoing compliance.