GDPR compliance will significantly strengthen the protection of personal data of European Union (EU) citizens by increasing the obligations of organizations that collect or process it. Failure to meet compliance requirements could result in massive penalties, potentially totaling €20 million (approximately $24 million) or 4% of a company’s global annual revenue (whichever is greater). But there’s still a lot of confusion about what this actually means for business.
1. It doesn’t matter if you’re based in the U.S.
If you’re a U.S.-based business, don’t make the mistake of believing the GDPR doesn’t apply to you. The only requirement for compliance is that you have access to the personal information of any individual residing in the EU. For instance, let’s say ABC Company is a Philadelphia-based organization with a monthly email newsletter that reaches several subscribers in Germany. The company’s physical location doesn’t matter, but the fact that ABC has access to EU citizens’ personal information (in this case, email addresses) does.
2. Brexit won’t affect compliance.
In 2016, British voters passed a referendum to leave the EU (“Brexit”); however, the country won’t officially withdraw until March 2019. That means U.K. citizens are still considered residents of the EU until 2019, and their personal data is protected under the GDPR. The U.K. government has stated that due to strong voter support for stricter data privacy laws, it will most likely pass its own legislation that largely mirrors the GDPR. So, even if the U.K. is the only European country from which you collect or process data, you still need to be fully compliant by the deadline.
3. Personal data may include more than you think.
The goal of the GDPR is to safeguard the “right to the protection of personal information,” however what qualifies as personal data? The official text defines it as “any info which will be wont to directly or indirectly determine the person.” The definition goes on to state this may embrace “anything from a reputation, a photo, an email address, bank details, posts on social media websites, medical info or a laptop IP address.” Take bedrock Company from the previous example, with its email news report that reaches many folks in Germany. Simply the very fact that it’s access to those email addresses is enough to need compliance with the GDPR.
4. Article 29 is a valuable resource.
As you work toward compliance, information around the Article 29 Working Party will be the most beneficial. Whereas the text of the GDPR details the compliance requirements, Article 29 Working Party lays out guidelines as to how you can actually achieve those requirements. Article 29 Working Party updates its website as new information about or changes to the regulation become official.
5. Changes are inevitable.
Since it originated in 2016, the Article 29 Working Party and various government entities have been issuing guidance on GDPR compliance. It’s likely these clarifications will continue right up to the effective date. Lisanne Steinheiser, global compliance officer at Insight, advises keeping a close eye on the Article 29 Working Party site to see how the changes affect your compliance targets.
6. Governance should come first.
On your journey toward compliance, carefully consider the people within your organization who will tackle this project. Bret Wingert, vice president of operations at Insight, has been working on Insight’s compliance process since early 2017. He recommends including teammates across your business, from lawyers to marketers. He also advises creating not only a cross-departmental team but a cross-regional one. Speaking about Insight’s compliance team, he says, “Since the company as a whole is ultimately liable, we felt that it was important that it was a very global team.”
7. Legal involvement is paramount.
Steinheiser strongly urges including regular communication with legal counsel as you work toward compliance. “To be honest, the first thing organizations should do is speak to counsel,” she says. “There are even firms now in the EU that specialize in compliance.” Whether you use your internal legal team, an external firm, or a combination of the two, be sure to consult them at every stage of the journey.
8. Data breach preparation is a must.
The last 5 years have seen a significant flow in security breaches and purloined info. The very fact that several corporations decline to report breaches to the affected people has left international shoppers feeling like they can’t trust organizations to guard their personal information. This mistrust crystal rectifier to the inclusion of a particular article within the GDPR that addresses the necessity for timely breach news. Though the section is fairly short, it poses one in every of the most important provision barriers to compliance.
As per the article, a ”controller shall while not undue delay and, wherever possible, not later than 72 hours when having become responsive to it, apprize the private information breach to the superior authority.” Individual information subjects should even be notified “without undue delay” if the breach ”is probably to lead to a high risk to the [their] rights and freedoms.”
With these strict time constraints, it’s essential to create a detailed plan of how your organization will handle a breach. Establish who will notify your advisory board and how, who will compile a list of data subjects to notify, and who will notify these individuals and how.
9. History matters.
Many industry leaders in the U.S. have criticized the GDPR for being too broad, too strict, and too invasive for businesses. It’s important to understand that after World War II, many country governments, especially those in Europe, realized the need to protect citizens’ personal data to avoid repeating harms of the past. In 1948, the United Nations’ Declaration of Human Rights stated it’s everyone’s right not to “be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.” In 1990, the U.N. further extended this right to personal data.
Since the EU’s inception in 1993, the protection of personal data of its citizens has been recognized as a fundamental right. In 1995, the EU passed Directive 95/46/EC, which regulated how personal information could be collected and used in the EU. But as the internet grew in scope and popularity, EU citizens began to demand more direct control over the process. As a result, the previous directive was replaced in 2016 by the General Data Protection Regulation, significantly strengthening citizens’ right to data protection.
10. Similar laws are likely in the future.
Historically, EU citizens may have cared the most about protecting their information, but they’re no longer the only ones demanding this. As shown in Figure 1, American citizens are also concerned about personal data privacy: 58% believe every internet user should think about their data, and 46% feel many internet companies exploit their position to collect data. More than a third (37%) said they take proactive measures regarding data protection.
As personal data becomes easier to collect and the number of data breaches rises. Peoples are more concerned about who has access to their information and why. Consumers today expect transparency from global businesses, especially when it involves their personal data. It’s highly likely this change in voter opinion will lead to more data privacy laws like the GDPR in the near future.
Concerns about meeting GDPR compliance by the deadline continue to abound. There’s been a lot of speculation regarding how strict the EU will be when it comes to fines. Will it demand €20 million on May 25 if your business is not 100% compliant? Does it make an example of one or two big businesses? Is it send out warnings at first? Many thought leaders believe the EU will be surprisingly lenient — as long as you’re working hard toward compliance.