You have a small to mid-size US company with a website, a digital marketing strategy, and collect data. If you don’t want to get fined a ton of money and hurt your brand, you need to be GDPR compliant by May 25, 2018. Whoa! Say you’re not quite sure why GDPR is a BFD? Pour a cup of coffee and read on. You’re going to need to round up some scattered data.
What is GDPR?
General Data Protection Regulation (GDPR) is the EU’s new data protection framework that takes effect May 2018, and it will weigh tough regulations and fines against any private and public organization that mishandles EU citizens’ data. GDPR is an effort to give citizens more rights over their own personal data while addressing loopholes in outdated laws that do not account for digital advancements like the cloud. Here are few things you’ll be doing as a result of the GDPR:
- Consent: Get consent before processing EU citizens’ data. Period.
- Parental consent: Get parental consent before accessing an EU minor’s personal data.
- Notification: If you have a data breach, you’ve got 72 hours to notify EU citizens affected.
- Erasure: If asked, erase an EU citizen’s personal data.
Who is affected by GDPR?
Obviously, if you sell goods or services to citizens of the EU, GDPR applies to you. Likewise, if you control and process the private data of EU citizens, even though you are located outside the EU, you are impacted by GDPR. Globally, GDPR will affect both companies and public organizations that are physically set within EU jurisdiction, and any non-EU organizations that hold or process personal data of EU citizens. Molly Huelfeld, writing for IAPP, simplifies. If you answer yes to any of these, you need to get GDPR compliant:
- Do you sell goods or services in the EU?
- Do you envisage (contemplate or conceive of as a possibility) selling to Europeans? Are you trying to gain a foothold in a European market?
- Do you use an advertising technology platform to track EU data subjects, and profile them?
It appears that although companies have had two years to prepare, many have not quite saddled up, for Gartner predicts that more than half of companies affected by GDPR won’t be in full compliance by the end of 2018. And by the way, GDPR goes beyond the EU-US Privacy Shield, so compliance with that is only a first step.
Why Should You Care?
Depending upon ten criteria (nature of infringement, data type, notification, etc.), noncompliance penalties can be up to €20 million ($24 million dollars), or 4 percent of annual global turnover, whichever is greater. Organizations must be able to identify, protect, and manage all personally identifiable information (PII) of EU residents. Better tighten that cinch.
Article 4 of GDPR defines personal data as any information that can identify a natural person directly or indirectly
- “by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” That means there are two main types of information that your organization should be concerned by:
- Personal data: The more identifier data like name, location, online identifiers, email addresses, IP addresses, cookies, etc.
- Sensitive personal data: Data that most people are much more concerned about getting into the wrong hands: their genetic or biometric data, data on health and sexuality, political, religious, or trade-union affiliations, and racial or ethnic information.
There’s a positive side to GDPR. Small and mid-size companies can build brand confidence by protecting customer privacy. By treating their customers’ personal data seriously and implementing GDPR in a transparent manner, smaller and mid-size companies can market their bona fides. When customers and potential customers trust a brand, they are more likely to share their data.
Three Quick Steps Toward Compliance :
Step 1: Educate
Educate yourself and somebody smart on your staff who can take over the role of GDPR compliance officer. Lighten that person’s other duties and pay that person accordingly, for he or she is going to have a lot of work to do. Keep educating all in your organization. Don’t forget that includes your customers.
Step 2: Data Roundup
Figure out what kind of sensitive data you hold and handle. In order to evaluate your company’s risk to privacy breaches, you need to audit your data. If your data sources are scattered like cattle, then you need to gather those sources and have seamless access to them in order to evaluate just how great your risk is. Plus, GDPR regulations require organizations prove that they know exactly where personal data is located and where it is not located. Part of this process is to identify specific types of personal data that may be lying dormant in semi-structured fields. Adam Leviathan, writing for Metalogix, says organizations should be able to answer:
- Where is your data stored? In what form is your data stored?
- What kinds of data (personal/sensitive personal) do you have stored?
- What do you do with this data? Do you even need to hold it?
- Who has access to this data? When, if ever, is data shared with third parties?
Then, determine if any of the data you hold puts you at risk. Likewise, make sure you can prove that the data that may put you at risk is in the proper systems and properly secured.
Speaking of data storage, make sure you know what your service provider is up to. Auditing your service provider’s data may be where the most significant risk to your business resides. Make sure to review your third-party service providers’ data storage and processing, and re-evaluate service level agreements. In short, if your data service provider isn’t compliant; then what they do for you isn’t GDPR compliant either. And it could cost you.
Step 3: Establish GDPR compliant policies, procedures, and a contingency plan.
Even if these are preliminary, get policies, procedures, and a contingency plan agreed upon, blessed by legal, and distributed. Don’t just distribute these; make sure these are taught throughout the organization!
Under old regulations, only the data controller was liable when a data breach occurred. Under GDPR, however, any business that comes into contact with the data of EU citizens is liable. You need not be considered a data controller but merely a data processor to be held liable.
Daniel Teachey, writing for SAS, says privacy rules should:
- Be open and have no secret systems for collecting personal data.
- Disclose to individuals what information you have on them and how it’s used.
- Not allow for secondary usage of personal data.
- Allow individuals to correct erroneous personal information.
- Assure customers that their data is used correctly and that steps and taken against misuse.
Create a contingency plan. As of May 25, 2018, businesses must inform the relevant data authority in event of a breach. Should your business suffer a data breach, you must inform the right data protection authority of the event within 72 hours of the event’s occurrence. Yeah, it’s that big of a deal.
At Tresemer Group, we believe good data and information are foundational for all strategic planning. Here are some good formats and guides to help you in preparation for May 25, 2018:
GDPR Signals Gig Data Protection Changes Worldwide: See How the IBM Security GDPR Framework Can Help You Prepare Now
Bloomberg Law’s Tips for US Companies in the Age of EU GDPR and Privacy Shield: A Collection of Expertly Crafted Articles and Guidance