May 25 was the day the European Union’s new General Data Protection Regulation (GDPR) went into effect. Unfortunately, with only an estimated half of U.S. companies having prepared for what is the most monumental change to privacy rules in decades, the result could be huge fines and major disruption to how we interact with customers there.
For any US company with customers in Europe, there are regulations to follow even if you don’t have an office there. GDPR gives any of your EU customers the right to access the data you have about them – a free copy must be provided in a machine-readable format within a month of request. The regulation also gives your EU customer the right to request correction or for you to remove data about them (also called the right to be forgotten) and the right to restrict the processing of that data.
But that’s not all. One of the biggest implications of GDPR is that your company must request consent or make sure that you get consent before you can store or use customer personal data. This is a massive change requiring significant action on the part of companies. If your company has a data breach, you must notify those people impacted within 72 hours. Remarkably, many U.S. firms still aren’t aware of GDPR, they aren’t prepared or mistakenly think it doesn’t impact their business. Any company, not compliant with these regulations could be walloped by fines of up to 4% of global annual revenues, maxed out at £20 million.
To make sure you are not blindsided by GDPR here are a few common misperceptions that companies be aware of.
Myth 1: GDPR doesn’t relate to my company’s business.
Any U.S. company that has data on an EU citizen is impacted, even if it’s just one customer. This includes personal data on e-commerce sites, media sites, messaging platforms, files related to fitness or medical apps, cookies, or even unstructured data within an in-box — anywhere it might be stored, electronically or on paper. In short, just about any information, anywhere.
Myth 2: GDPR doesn’t impact my company because we have no European office.
Guess again. Storing European customer data in the United States doesn’t inoculate companies from GDPR oversight, even those firms without a sizeable number of European customers. Your EU customer database, regardless of its size, must comply wherever it resides, so there’s an argument for storing it closer to customers. And those firms with a UK office that think Brexit will make them immune will also find themselves to be sadly mistaken; GDPR covers the entire region, regardless of Brexit.
Myth 3: I can pick the “regulatory authority” that aligns best with my business.
Under GDPR, there’s a regulator in each of the EU’s 28 member states, with quite a disparity in how they approach enforcement, but GDPR also includes a “one-stop-shop” compliance framework. This might lead some companies to think they can pick their favorite regulator. Alas, no they can’t. The regulator must be the one overseeing the country containing a “main establishment.” This is why savvy companies don’t want their main establishment in countries with a GDPR data commissioner who only makes contact to announce an audit or fine. A better approach is selecting a country known to have a responsive, helpful data commissioner. Consider investigating the EU headquarters locations chosen by major U.S. companies, particularly data giants like Google, Facebook and Amazon, who know a thing or two about customer databases.
Myth 4: If I start now, there’s still time to be 100% compliant with GDPR even though May 25 is here
Given the scope of the GDPR ruling, this seems unlikely — although launching an immediate compliance program should still be an unalterable goal rather than playing Russian roulette. Getting consumer consent for all a company’s European customer data is quite a massive undertaking, particularly considering the high volume of such data likely obtained without consent. Then there are nightmare scenarios like a breach in a network with thieves grabbing un-consented consumer data. The fines would apply if you have not made every attempt to lock your network down beforehand. At this late stage in the game, the best plan is to get professional support if only starting now. There are plenty of good readiness and analysts frameworks out there with detailed steps to follow.
What to do next
While it won’t be without cost or effort, U.S. companies wanting to tap into the large, lucrative European market can be in compliance with GDPR by following a few steps:
Perform a data audit – This involves knowing what European customer data exists in order to be better able to put comprehensive measures in place to protect it.
Appoint an internal data protection officer – Whatever you call them, such a person is needed to drive and monitor a GDPR compliance program, with adequate budget, tools and resources assigned. Training staff is a key effort that should precede implementation.
Understand GDPR’s customer rights and have a plan for responding – Consumers have the right to see their personal data (typically within a month of request), have it changed and deleted and can demand restriction of further processing of such data, also withdrawing any prior consent to use it. In addition, customers must be told within 72 hours of a data breach.
Allocate adequate budget, tools and resources – Not funding a serious GDPR compliance plan now might save money but not when compared to the cost of fines later. Most companies are training staff to help them understand what compliance means so that human error does not create a security breach unintentionally.