On May 25, 2018, the European Union's General Data Protection Regulation (GDPR) will begin to be enforced. It's one of the largest and most far-reaching data privacy laws in the world. Its requirements will apply to all businesses handling the consumer data of EU citizens, no matter their size, industry or country of origin.
"Its main objectives are to give citizens back personal control of their data [and] to simplify regulation for businesses," said Peter Milla, chief data officer at data insight exchange platform Cint. "It applies to all member states."
Sadly, it's catching many companies a bit off guard. According to a survey by ESG, only 11 percent of 700 organizations were completely ready at the beginning of 2018, and only 33 percent said their incident response plans meet the GDPR requirements, but that number may be even lower. Potential fines for non-compliance or breaches of privacy depends on which is higher; 20 million euros or up to 4 percent of a business's revenue, depending on factors like the size of the company and whether the regulatory body thinks the company made a good faith effort to secure its data.
Here's what you need to know about the GDPR requirements and how you can prepare your U.S. business.
What is the GDPR?
The GDPR was first proposed in 2012 as a way to create consistent data privacy laws in the EU member states. The legislation will replace the 1995 Data Protection Directive, which was a set of recommendations to guide EU countries to create their own laws around data privacy.
- Anyone involved in processing EU consumer data, including third-party entities involved in processing data to provide a particular service, can be held liable for a breach.
- When an individual no longer wants their data to be processed by a company, the data must be deleted, "provided that there are no legitimate grounds for retaining it."
- Companies must appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers (small and midsize enterprises are exempt, if data processing is not their core business).
- Companies and organizations must notify the relevant national supervisory authority of serious data breaches as soon as possible.
- Parental consent is required for children under a certain age to use social media (a specific age within a group ranging from ages 13 to 16 will be set by individual countries).
- There will be a single supervisory authority for data protection complaints aimed at streamlining compliance for businesses.
- Individuals have a right to data portability to enable them to more easily transfer their personal data between services.
How will GDPR affect small businesses?
At first glance, it may seem that the GDPR only applies to large, global companies that conduct a lot of business overseas. But that's a false perception that could harm a lot of small businesses, said Milla.
No matter the size of your company, if you collect any kind of personal data on citizens in the European Union, from email addresses to medical records, you are legally required to comply with GDPR regulations.
"Any company ... that conducts business in Europe will be impacted by the change, and will need to understand their responsibilities in complying with the regulations," said Daren Glenister, field chief technology officer of Intralinks, an enterprise collaboration tech company. "[Companies] will need to put procedures and systems in place to ensure [European] citizen data resides in the country of record, and will need to validate how any personal data is collected, stored, processed and shared."
Most businesses are a long way from that point: "Only 25 percent of customer data meets GDPR requirements," said Milla. Even records that companies think are harmless will be considered protected data if they could be used to identify a consumer.
"A doctor's name and a zip code and a condition, in a small rural area – that's information you can use to identify someone," he added. "Insurance brands may have to delete as much as two-thirds of their past customer records."
Brexit and the GDPR
As Great Britain prepares to leave the European Union in 2019, many businesses are assuming that data protection laws in the UK will be less demanding than those in Europe. But that's not necessarily the case, said Milla.
"There's a real heightened sensitivity in the UK about GDPR because they need to be GDPR-compliant before Brexit actually takes place," Milla cautioned. In fact, scrutiny of data protection practices in the UK might be more stringent than in other countries because, Milla said, they’ve already committed to tighter security.
However, the regulations put in place in the UK could provide a helpful model for many American businesses – and those around the world – looking to become GDPR-compliant.
"[British regulations] could be a good source for America, because all the [GDPR] materials are published in English," Milla added.
What can you do to prepare?
If your business currently does or is thinking about doing business in Europe, there are steps you can take to stay compliant with the GDPR.
1. Conduct an analysis. Start by consulting with a legal expert to understand the data privacy regulations and how they might impact your business. Then look at the systems you already have in place and find out where weak spots exist.
"Get someone who can help," Milla advised. "Do a data protection impact analysis… Revisit how [you] get consent [and] mechanisms to delete data."
2. Educate the whole team. Employees should be educated about the responsibilities they have when dealing with personally identifiable or sensitive personal information of employees, customers, partners and contractors. Milla said it is especially important to make sure that the whole management team understands why data protection, and the changes required under GDPR, needs to be a priority in the budget.
3. Choose a point person. Midsize businesses may want to consider appointing a compliance officer, who would be responsible for reviewing the constant changes in data privacy laws, Glenister said. Smaller businesses, Milla suggested, can hire an outside contractor to fill this role as needed. Either way, he said all businesses need to identify a primary point of contact whose responsibility it is to address issues of data protection. [Interested in finding the right person? Check out our best picks for recruiting software for small business.]
4. Categorize your data. Determine which of your business's data is impacted by regulation guidelines. For example, EU citizen data could be in contracts, HR documents, financial records or purchase order history. Look at where this data is stored, how it is processed and who has access to it. From there, you can set company-wide policies around how data should be handled.
5. Review your contracts. Your third-party vendors should have clear policies that adhere to the regulations. Just because you sign a contract in one country does not mean your data will be stored or processed in that country, Glenister said. As with your own internal data management, understand how your vendors will store, process and access your business's data.
In addition, ask what procedures your vendor has in place to meet regulations and how that company will address violations.
"The fines are levied based on each country's specific regulations, which further opens up businesses to significant, repeated risks, depending on how many countries you transact with," Glenister said.
Milla agreed, adding that even if a third-party vendor is the one who mishandles data, you could still be penalized. "Who are [regulatory bodies] going to see as the responsible party?" he said. "Depending on what the relationship is… you’re still responsible."
As laws like GDPR go into effect, businesses need to reframe how they think about customer data and their own liability. If handled properly, these GDPR regulations could even lead to an opportunity to improve efficiency.
"Take a risk-based approach," Milla recommended. "Privacy or data protection has to be a component that you are designing to."
Glenister agreed: "The more you can invest in data security to ensure that you are doing all the right things to keep personal data safe, the better."
Additional reporting by Anna Attkisson.