What You Need to Know About GDPR

GDPR, the European Union’s General Data Protection Regulation, seeks to protect the privacy rights of EU consumers. The Regulation dictates how corporations, institutions and governments must secure and process personal data within their control. It becomes effective on May 25, 2018.

If you have customers in the EU – no matter where in the world your business is located – GDPR compliance should be a top priority right now. The regulations apply to all companies that process or store the personal data of any EU residents.

Personal data includes any information about “identified persons” or information that could be used to identify an individual, and can include names, ID numbers, location data, phone numbers, email addresses, and purchase histories among other less personal, and seemingly less consequential information.

Much is being written about the core motivations behind the GDPR’s enhanced efforts to protect the personal data of EU citizens. In sum, a system of data collection and processing must assure accuracy and transparency; must be secure (i.e., confidential, fair and lawful); and must be subject to purpose and temporal limits. Lip service to these elements won’t cut it.

What’s at Stake

Stringent privacy regulations are nothing new in the EU, but what’s different about GDPR is that it carries strong penalties for non-compliance. Depending on the company size and type of infraction, penalties can amount to up to 20 million Euro or 4% of total revenue, whichever is greater.

7 Steps for Preparing for GDPR

To prepare your organization for the May 25, 2018 effective date, here are seven suggested steps to get your data processing policies in order. This list is not exhaustive — instead, it is a quick overview to get you started in the right direction. The time to act is now.

1. Assess the impact to your organization

First, understand how much impact your organization will feel from GDPR going into effect. Assess your current practices with regards to the six core GDPR elements described above. Do you store, utilize or process data for EU residents? If so, does it make sense to compartmentalize this data in order to handle it differently from non-EU data subjects?

2. Understand how you’re currently processing EU consumer data, and prepare to make necessary changes

Clearly define your legal basis for collecting and storing personal data of EU residents. Review your consent practices to ensure consent is clear, explicit, affirmative and specific – and note that this new level of scrutiny (likely) goes beyond what may be in your current set of general terms of service. Keep in mind that there are rules for clarity of language that may require you to rewrite certain policies, and that there are even more stringent requirements for handling the data of EU minors. GDPR also requires organizations to document the purpose and scope of the data for each of the ways they plan to process the data.

Understand there are no ready short-cuts to compliance. For US companies, simply relocating your data from an EU country to the US is not a ready quick fix. The EU prohibits the transfer of EU resident data to the US — and other countries with insufficient privacy protections, as judged by the EU, without first having documented proof of satisfaction of the EU/US Privacy Shield framework (or its equivalent, elsewhere). Likewise, it’s important to consider the possibility that other governments will follow the EU’s lead in the future. So, the wisest and most financially efficient course of action may be to deploy GDPR-compliant data management efforts across your organization, and regardless of where consumers reside.

3. Integrate data privacy into your daily operations

GDPR requires companies to enact — and enforce — policies and behavioral standards for handling personal data. To ensure your new data governance policies are followed, as required, it’s a good idea to implement ongoing employee training.

In addition, GDPR dictates that companies designate a Data Protection Officer (DPO) who reports to senior management, is responsible for implementing and enforcing privacy rules, and periodically delivers updates to the board of directors. In other words, it’s insufficient to “talk the talk.” The point of all of these requirements is to make protecting privacy a regular part of the day-to-day. The EU’s implementation of the GDPR intentionally and effectively elevates data protection from one of many administrative considerations, to a top-line C-suite management responsibility.

4. Put processes in place to respond to consumer requests

Under EU privacy laws, data subjects have rights over their data. These rights and expectations are amplified under the GDPR, and include the right to request to see their data; requests that must be honored within a certain timeframe (often 30 days) and in a specific format. In some situations, an individual has the right to ask that their data be corrected or erased. The GDPR requires companies to set forth and communicate to data subjects the rights they have and how to access them. It’s important to prepare your policies and processes to deal with any incoming data requests.

5. Plan your response to potential security incidents

Data breaches carry heavy fines (as indicated above), so it’s incumbent on companies to ensure data is not leaked or stolen. GDPR mandates companies to assess their own risk in this area, but also requires that companies notify data protection authorities of a breach within 72 hours of discovering it. Bottom line — you must put a crisis response plan in place that lets you execute and document your incident investigation extremely quickly. As a best practice, the GDPR urges companies to anonymize or encrypt personal data to reduce the risk of a breach reaching sensitive information.

6. Ensure compliance readiness of any firm with which you share data

Organizations that control and process personal data have shared responsibility for the privacy and security practices of business partners or data storage providers with whom they share the data. GDPR compliance is not limited to data controllers/processors; your third-party partners or service providers must comply too.

7. Self-check regularly

As your business changes, it’s imperative to periodically assess your regulatory compliance and make necessary corrections. This is an iterative process that requires regular review to assume your business organizations remains “inside the guardrails” of the GDPR. The GDPR is just coming on-line, and the enforcement realities are as yet unknown.

* * * * *

Today’s marketplace is global and data-driven. To compete, companies must understand the consumer data they collect, store and use. GDPR requires firms to develop stricter policies for protecting the data of EU residents, and is anticipated to be the harbinger of more stringent regulations to come from governments around the world.