GDPR is of the largest and most far-reaching data privacy laws in the world. Its requirements apply to all businesses handling the consumer data of citizens in the European Union (EU), no matter their size, industry, or country of origin.
"Its main objectives are to give citizens back personal control of their data [and] to simplify regulation for businesses," said Peter Milla, chief data officer at Cint. "It applies to all member states."
The regulations have caught many companies a bit off guard. According to a survey by ESG, only 11 percent of 700 organizations were completely ready at the beginning of 2018, and only 33 percent said their incident response plans meet the GDPR requirements, but that number may be even lower.
Potential fines for non-compliance or breaches of privacy depends on which is higher; 20 million euros or up to 4 percent of a business's revenue, depending on factors like the size of the company and whether the regulatory body thinks the company made a good faith effort to secure its data.
Here's what you need to know about the GDPR requirements and how you can prepare your U.S. business.
What is the GDPR?
The GDPR was first proposed in 2012 as a way to create consistent data privacy laws in the EU member states. The legislation replaced the 1995 Data Protection Directive, which was a set of recommendations to guide EU countries to create their own laws around data privacy.
- Anyone involved in processing EU consumer data, including third-party entities involved in processing data to provide a particular service, can be held liable for a breach.
- When an individual no longer wants their data to be processed by a company, the data must be deleted, "provided that there are no legitimate grounds for retaining it."
- Companies must appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers (small and midsize enterprises are exempt if data processing is not their core business).
- Companies and organizations must notify the relevant national supervisory authority of serious data breaches as soon as possible.
- Parental consent is required for children under a certain age to use social media (a specific age within a group ranging from ages 13 to 16 will be set by individual countries).
- There will be a single supervisory authority for data protection complaints aimed at streamlining compliance for businesses.
- Individuals have a right to data portability to enable them to more easily transfer their personal data between services.
How will GDPR affect small businesses?
At first glance, it may seem that the GDPR only applies to large, global companies that conduct a lot of business overseas. But that's a false perception that could harm a lot of small businesses, said Milla.
No matter the size of your company, if you collect any kind of personal data on citizens in the European Union, from email addresses to medical records, you are legally required to comply with GDPR regulations.
"Any company ... that conducts business in Europe will be impacted by the change, and will need to understand their responsibilities in complying with the regulations," said Daren Glenister, field chief technology officer of Intralinks. "[Companies] will need to put procedures and systems in place to ensure [European] citizen data resides in the country of record, and will need to validate how any personal data is collected, stored, processed and shared."
Most businesses are a long way from that point: "Only 25 percent of customer data meets GDPR requirements," said Milla. Even records that companies think are harmless will be considered protected data if they could be used to identify a consumer.
"A doctor's name and a zip code and a condition, in a small rural area – that's information you can use to identify someone," he added. "Insurance brands may have to delete as much as two-thirds of their past customer records."
Brexit and the GDPR
As Great Britain prepares to leave the European Union in 2019, many businesses are assuming that data protection laws in the UK will be less demanding than those in Europe. This is not necessarily the case, said Milla.
"There's a real heightened sensitivity in the UK about GDPR because they need to be GDPR-compliant before Brexit actually takes place," Milla cautioned.
In fact, scrutiny of data protection practices in the UK might be more stringent than in other countries because, Milla said, they’ve already committed to tighter security. However, the regulations put in place in the UK could provide a helpful model for many American businesses – and those around the world – looking to become GDPR-compliant.
"[British regulations] could be a good source for America, because all the [GDPR] materials are published in English," Milla added.
What can you do to prepare?
If your business currently does or is thinking about doing business in Europe, there are steps you can take to stay compliant with the GDPR.
1. Conduct an analysis.
Start by consulting with a legal expert to understand the data privacy regulations and how they might impact your business. Then look at the systems you already have in place and find out where weak spots exist.
"Get someone who can help," Milla advised. "Do a data protection impact analysis… Revisit how [you] get consent [and] mechanisms to delete data."
2. Educate the whole team.
Employees should be educated about the responsibilities they have when dealing with personally identifiable or sensitive personal information of employees, customers, partners and contractors. Milla said it is especially important to make sure that the whole management team understands why data protection, and the changes required under GDPR, needs to be a priority in the budget.
3. Choose a point person.
Midsize businesses may want to consider appointing a compliance officer, who would be responsible for reviewing the constant changes in data privacy laws, Glenister said. Smaller businesses, Milla suggested, can hire an outside contractor to fill this role as needed. Either way, he said all businesses need to identify a primary point of contact whose responsibility it is to address issues of data protection. [Need help finding the right candidates? Check out our best picks for recruiting software for small business.]
4. Categorize your data.
Determine which of your business's data is impacted by regulation guidelines. For example, EU citizen data could be in contracts, HR documents, financial records or purchase order history. Look at where this data is stored, how it is processed and who has access to it. From there, you can set company-wide policies around how data should be handled.
5. Review your contracts.
Your third-party vendors should have clear policies that adhere to the regulations. Just because you sign a contract in one country does not mean your data will be stored or processed in that country, Glenister said. As with your own internal data management, understand how your vendors will store, process and access your business's data.
In addition, ask what procedures your vendor has in place to meet regulations and how that company will address violations.
"The fines are levied based on each country's specific regulations, which further opens up businesses to significant, repeated risks, depending on how many countries you transact with," Glenister said.
Milla agreed, adding that even if a third-party vendor is the one who mishandles data, you could still be penalized. "Who are [regulatory bodies] going to see as the responsible party?" he said. "Depending on what the relationship is… you’re still responsible."
As laws like GDPR go into effect, businesses need to reframe how they think about customer data and their own liability. If handled properly, these GDPR regulations could even lead to an opportunity to improve efficiency.
"Take a risk-based approach," Milla recommended. "Privacy or data protection has to be a component that you are designing to."
Glenister agreed: "The more you can invest in data security to ensure that you are doing all the right things to keep personal data safe, the better."
Data privacy in the U.S.
Investing in data privacy is good advice for any business, even those not located in the European Union or serving EU-based users. Data privacy laws are coming to the U.S., and in some states like California, they already have.
The California Consumer Privacy Act (CCPA) is slated to go into effect in 2020 and covers any businesses operating in California. The CCPA, which was recently signed into law, establishes the U.S.'s most stringent data privacy requirements, intended to improve transparency and consumer control of their data (like GDPR). Some of the requirements included in the CCPA are:
- Users must be informed of the data collected by companies, as well as how it will be used.
- Users must have the ability to order the deletion of their data, as well as the ability to disallow the sale of their data to third-parties. Companies must disclose these requests.
- Companies must track and disclose the type of data they collect, disclose and sell, as well as the third parties to which have access to that data.
- Users must be able to obtain their data in a printable format.
How is CCPA different from GDPR?
While on the surface there appear to be a great deal of similarities between the two measures, there are some key differences. In some areas, the CCPA is more forgiving than GDPR, and in others it is stricter. Some of these differences include:
- The CCPA requires consumers to opt-out of data collection, processing, and selling. The GDPR requires consumers to opt-in.
- The GDPR requires companies to govern their data collection and processing policies, while the CCPA prescribes that the attorney general develop a set of rules.
Penalties for failure to comply with the CCPA are quite steep, but less so when compared to the GDPR's existential threat of the higher of 20 million Euro or 4 percent of a company's revenue. The CCPA instead levies a fine of $7,500 per incident. Still, when dealing with the scale of data collection that companies engage in today, that can add up quickly.
Who CCPA applies to
The California act will apply to for-profit businesses that do business in California and deal in resident's personal data. Those businesses make an annual gross revenue of more than $25 million or they receive or disclose the personal data of 50,000 or more Californians annually. Or those businesses make 50 percent of their annual revenue from selling the personal information of California residents. Plus, it applies to corporate affiliates of those businesses that share their branding. That means it applies to not-for-profits, small-to-medium businesses and companies that do not buy and sell personal data.
What should businesses covered by the CCPA do next?
Many companies in California, or serving California consumers, already retooled data collection and processing policies to comply with the EU's GDPR. Even if this is the case, however, they will likely need to take a second look to ensure that those newly created policies also align with the standards set forth in the CCPA. If not, further internal changes will be necessary before 2020.
For companies concerned about serving Californians under the CCPA, it's wise to keep these consumer "rights" in mind:
- The Right to Opt Out of Data Collection and Sale
- The Right to Access Personal Data
- The Right to Delete Personal Data
If your company recently performed a data analysis to come into compliance with GDPR, you've already taken the first step. Knowing what you collect from whom and what you do with it is half the battle toward managing it effectively and in compliance with the law. Revisit the changes you made when preparing to comply with GDPR and scrutinize the CCPA to see where they two measures do not overlap. With a comprehensive view of the data you collect, transmit and sell, it should be easy enough to plug any holes before the 2020 enforcement deadline.
Additional reporting by Katharine Paljug.