American Companies and the GDPR
The impact of the General Data Protection Regulation (GDPR) for American companies which gather, maintain or process personal data of citizens of the European Union (EU) will be considerable – and compliance with it is obligatory.
The new EU Regulation will come into force on May 25th, 2018. The GDPR impacts the manner in which the personal data of the citizens of EU member states may be collected, used and held. It also introduces the right for individuals to have much more influence in what data about them is gathered, together with a right to know for what purposes that data is being used, and for what length of time it will be used for.
The enactment of the GDPR will instigate sweeping changes to business practices for those companies which have not already implemented a policy that reflects a similar level of data privacy. Fields as wide-ranging as finance to human resources, advertising, sales and customer services will undoubtedly be impacted by the changes. Firms which work with channel partners must also ensure that their partners’ activities comply with the GDPR.
Do American Companies Have to Comply with GDPR?
Numerous businesses have wondered aloud if GDPR applies to US-based companies which already function in compliance with the existing EU-US Privacy Shield. The short answer to their question is “yes”. The scope of the GDPR is much broader than that of the EU-US Privacy Shield, which is limited to the protection of the transfer of personal data in transatlantic exchanges. American companies which act within the scope of GDPR need to assume they will be obliged to comply with its requirements as soon as it comes into force.
The manner in which the GDPR applies to US companies which collect, use or maintain personal data may prove to be complicated. This is particularly true regarding citizens of European Union member states who are temporarily resident in the USA, or even with respect to cloud environments that may be based in an EU country but are logistically supported in the United States. These questions, among others, highlight the fact that GDPR compliance is an issue that American companies should address as soon as possible.
GDPR Compliance for US Companies
The interest for US companies to comply with GDPR is simple; they face exposure to non-compliance penalties and those penalties are significant. The new regulation just cannot be ignored by American companies. Some experts have suggested that GDPR is a privacy equivalent to SOX, which underlines just how seriously USA-based companies with EU customers should be taking the new changes.
Reassuringly, recent research carried out by PwC indicates that a large number of multinational companies are now taking GDPR for their US operations quite seriously. More than 50% of the companies that took part in the PwC survey stated that GDPR is their number one data protection priority, and over three quarters of those claimed they will be investing at least $1 million on compliance matters. Nonetheless, worries remain concerning the speed in which mid-cap American companies are preparing for the May 25th, 2018 deadline.
Here are some indications of what are likely to be the most important tasks for US companies to undertake in order to ensure that they are GDPR compliant:
Carry Out an Audit of your Company Data
Performing an audit of your company data will be no small task, however it will make it much easier for you to take a number of informed decisions on how best to comply with GDPR.
- Where does your company store its data?
- Why are certain types of data collected?
- How is your customers’ data obtained?
- Is there a degree of duplication of the same data over numerous sites?
These questions must be answered prior to deciding upon the correct changes to be made for your own business. This initial step of clarifying where all genres of your customer data is to be found is crucial.
Ensure that your Service Providers’ Data has been Audited
The job of auditing a service provider’s data is where many American companies may struggle and might well be where the greatest risk to your business is to be found. It is essential to review your 3rd-party service providers’ systems of data storage and processing, and if necessary re-evaluate existing service level agreements. Should a data service provider not be able to demonstrate that it is a GDPR compliant US company, then any work that it does concerning your European Union customer data will be deemed to be non-compliant with the new Regulation.
Prepare to Respond to Requests Under the “Right to be Forgotten”
Two new rights for citizens of European Union member states will be introduced by the GDPR and it is essential that US companies have a full understanding of them. The Regulation includes the “Right to be Forgotten”; this permits individuals to ask for their personal data to be deleted from company servers (in specific circumstances). Another impact that the Regulation will have on US companies it that it confirms the right of EU citizens to receive data in a standard format and also to request that their own data be transferred to another company or business. This change will have a telling affect on how US companies must service and reply to their European Union customer data requests from May 25th, 2018 onwards.
Categories of Controllers and Processors under GDPR
Is your company, under the new Regulation’s guidelines, a data processor or a data controller? It is necessary that you identify the correct category for your company as soon as possible. A data processor company is one that processes the personal data of individuals as a proxy for a controller. A data controller company is one that defines the purposes and methods by which customer data is processed. These two types of company have their respective implications regarding compliance with GDPR for US companies. It is also true that a company may be simultaneously a data controller and data processor.
To further complicate matters, a data controller might have multiple data processors. The new Regulation stipulates that the data controller will be held liable for the actions (i.e. the non-compliance) of any data processors with whom they work with in the market. It is therefore crucial that American companies take great care in selecting their data processors for the European market given that some of these service providers may not be compliant with GDPR in time for May 2018. A written agreement should be in place with stipulates the precise terms of the working relationship between the controller and the processor. This contract must include details concerning the customer data itself, the length of time the customer data is stored, the manner in which the information should be deleted and the genre of, and reason for maintaining, the customer data in question.
Penalties and Fines for GDPR Non-Compliance
US corporate leaders are perhaps most concerned by the new enforcement procedures and penalties that will be associated with GDPR compliance. The heavy penalties that non-compliance with GDPR will attract could run into millions of dollars for offending companies. Non-compliant companies will fall into one of two categories, the higher of which could cost a company up to €20,000,000 or 4% of its net income.
Damage to Reputation
From May 25th, 2018 (i.e. the date on which GDPR comes into force), it is very probable that the first companies to face penalties for non-compliance will receive particular scrutiny. Those companies that fail to comply with the new law could face damage to their reputations that may ultimately prove to be much more costly than the GDPR fines themselves. There is also the possibility that some competitors will use the question GDPR compliance as a tool to obtain an advantage in the marketplace. Company directors must ask themselves if they are prepared to let their businesses suffer damage to their reputation that failure to comply with the new regulation might bring. In the very near future, data privacy may well become a new area of competition for many businesses where new customers are won or lost.
Appoint a Data Protection Officer (DPO)
In certain scenarios hiring a Data Protection Officer (DPO) will be a simple necessity. Other companies may not have to recruit a full-time data protection officer. GDPR influences just about every operational team in the average company. Compliance with the new regulation requires a great deal of hard work. The centralization of all of that work under one employee’s responsibility rather than having a number of data ‘chiefs’ is advisable.
Data Breaches: Notification of Authorities and Customers
As soon as a data breach occurs, your company is required to inform the relevant data protection authority within a maximum of 72 hours of the event. Every European Union member state will have its own respective data protection authority which is responsible for the implementation of the new regulation. Should a data breach pose a significant privacy risk to your customers, then your company must also inform those customers directly.
Update your Procedures for Data Breaches
Companies should review and modernize the in-house processes that they presently have in place in order to identify, report, and investigate data breaches as soon as they occur so as to comply with the time-limit and criteria imposed by GDPR authorities.
Re-draft your Existing Consent Forms
Consent and disclosure forms for customers need to be reviewed and re-drafted. You must obtain agreement for each individual use-case that has been developed for your customer’s data. Each customer needs to have the possibility of selecting those that he or she agrees with and declining those that he or she does not. You also need to be capable of storing each customer’s preferences in your company’s databases.
Although much of the GDPR is focused on how companies should manage the consumer data in their possession, your company must do more than simply make sure that it operates in compliance with the new requirements. You also need to educate your staff in the European Union about the new rules and ensure that your employees have undergone a GDPR training course to ensure they know how to deal with customer data under the GDPR.
The GDPR for American Companies: Summary
Clearly, the new European Union data privacy regulation will impact just about all aspects of your business. Thankfully, the consequences that the GDPR will have on your American company will of course also affect your competitors’ activities, meaning that your company will not be placed at a specific disadvantage in the market. It is essential that your staff work together to address this common problem in a constructive and cohesive way. Your entire organization needs to stay aware of the impact of GDPR even after initial compliance has been achieved. Do not forget that complying with the Regulation is a continuous process and that you need to remain vigilant if your company is to remain on the right side of the law.
Undoubtedly, it will take some time for your company to fully comprehend the new regulation. Whether you are enthusiastic about it or not, it is evident that the new “privacy equivalent of SOX” will have a considerable affect on American companies which sell their products or offer their services to European Union customers. Some marketers view good GDPR compliance as an opportunity that can be used to make their company stand out in the crowd of competition. It is advisable to begin preparation for the changeover as soon as possible. This could lead to your company obtaining a considerable competitive advantage over its competitors, as opposed to suffering damage to reputation that may well result from your company being found to be non-compliant.