Many U.S. companies have been investigating the impact of new data requirements being implemented soon in the European Union (EU). Referred to as GDPR, these new rules involve the handling of customers and users data.
A great deal of discussion has been focused on the new requirements and the potential penalties for non-compliance.
Yet, with less than a month until the deadline for compliance on May 25th, a lot of organizations find themselves unprepared.
We thought it would help to give you some details about these new requirements to determine what the impact might be for your business. We do not present this information as an exhaustive or legal review of the topic. Please consult with your corporate lawyer if you think there is an area of concern for you and your business.
What does GDPR mean?
First, let us discuss what kind of regulation the GDPR is. It is a new protection directive by the EU Parliament that gives strict rules on dealing with clients information. The GDPR incorporates various regulations for companies. But, the general aim of the GDPR is to give EU citizens better control over how their personal data is being used by companies. It is also meant to guarantee transparency about how companies handle personal information.
This regulation applies to all local privacy laws across the entire EU. It will also affect businesses around the world who sell to and/or store personal information about European citizens.
BEWARE – If your business has operations in the EU or it processes the personal data of EU citizens, this new General Data Protection Regulation (GDPR) affects you!
What do the expanded Individual Rights and Consent include?
The GDPR sets a high standard for consent. Consent means offering individuals real choice and control. The GDPR says you must get freely-given, specific, informed, and unambiguous consent from your clients for their data. You also must clearly explain how you plan to use their personal data.
The new form of consent applies to both new and existing clients. This could force some organizations to approach the same individuals again for further permission to use their data.
Your organization needs to audit your consent practices and your existing consents. You may need to refresh your consents if they don’t meet the GDPR standard.
Now, let’s go to the core – what are those new individual rights?
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure, AKA the right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Do the new GDPR rules impact your business?
The scope of the GDPR is very broad. The GDPR will affect all EU organizations and all organizations involved in processing personal data of EU citizens. This applies to all businesses, regardless of where it or its processing activities are located.
If your business processes personal data of EU citizens, in any possible way, this new regulation will impact you!
This new regulation defines ‘personal data’ as any information related to an identified or identifiable individual.
Also, personal data will now include not only data that is commonly considered to be personal in nature (social security numbers, names, email addresses etc.), but also data such as biometric data, IP addresses, financial information, and much more.
How does your business prepare for the GDPR?
All organizations should perform an analysis of their data to determine if they are processing the personal data of EU citizens.
The penalties for non-compliance are tough.
If you are a small business and are concerned about the ability to cope with such a complex task, you should consider seeking out a third-party expert to help.
Organizations will also need to ensure their security alert systems are equipped to spot and react to any break-ins quickly. Under the GDPR, data breaches must be reported to a supervisory authority within 72 hours.
To manage these extra requirements, businesses should consider appointing a data protection officer, who oversees the processes.
One important notice!
The EU has deemed that the US does not have adequate data privacy laws. But organizations can navigate this by adhering to the EU-US Privacy Shield. The EU-US Privacy Shield is a program that indicates that participating U.S. companies have adequate data protection. This indicates that they can facilitate the transfer of EU data.
This means if you are processing data of EU citizens you will need to obtain an adequate certificate.
What are the consequences of disregarding these new rules?
There are significant risks for businesses who are not compliant by GDPR.
What is the worst-case scenario?
A business that is not compliant with the GDPR requirements faces a hefty fine of €20m or 4% of its annual turnover, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements.
The rules are also quite clear on the fact that no matter who is responsible for the breach is irrelevant. Whether it is an employee, a malicious attacker, or a partner or other third party – it will still be the organization that foots the bill and suffers any consequent reputational damage.
It is important to note that these rules apply to both controllers and processors, meaning ‘clouds’ will not be exempt from GDPR enforcement. Email marketing companies like Mailchimp are implementing tools within their platform to help its clients properly collect customer data in sign-up forms.
With such a dramatic risk of financial loss, it’s no wonder that companies are paying serious attention to safeguarding their data.
Summing up, the GDPR should not be taken lightly. Compliance with the GDPR is likely to require organization-wide changes for many businesses.
This regulation should lead to more open dialogue between advertisers and data subjects, and must be respected by those involved in the processing of personal data.
If you are concerned about how this could impact your business, we recommend that you contact your corporate legal resources to discuss the matter further.