Tuesday, January 23, 2018

Are you compliant with the General Data Protection Regulation (GDPR) Requirements?

European businesses have been aware for some time that beginning in May 2018 they must be compliant with the General Data Protection Regulation, which protects customer data when it is handled by those who collect it ("Controllers") and those who "Processors" who manipulate that data on behalf of Controllers.

Surveys reveal, however, that only 25 percent of U.S. companies believe the regulation applies to them. That misconception could cost them up to four percent of global revenues or €20 million (approximately $24.5 million), whichever is greater.

To drive home the point: if you have ANY customers who reside in or have their businesses located in the European Union, you are obligated to be complaint with the GDPR. There is no threshold for this, such as more than one percent or five percent or ten percent of your customers reside in the EU. Technically, if even one customer resides there, or you process credit card data there, the GDPR applies to you.

If businesses collect or process any personal data of EU residents, they have to follow strict rules such as reporting any data breaches within 72 hours of occurrence, getting consent from customers before collecting personal data, and offering customers the ability to request all of their records be deleted.

And here's an important wrinkle -- the GDPR applies to EU citizens even if they are not residing in the EU. That means eCommerce platforms will have to ask each new customer if they are EU citizens, and will have to include those who have become EU citizens after they already already part of your customer base.

One of the key components of GDPR is the way it governs data breaches, giving companies just 72 hours to notify users if their personal data has been compromised.

An article in Information Week summarizes what action to take to establish compliance. In brief, these are:

1. Determine if you’re a controller or a processor.
2, Audit your data to make sure you get a "single view" of each customer (because you may have customer data stored in more than one place).
3. You will need to appoint a representative for your company who is established in your EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body. 
4. "If required, appoint a Data Protection Officer. Not all organizations need one, but given the vastness of the compliance requirements, it may be wise to have one. Make sure this person has the expertise you need."
5. "Data subjects will need to check a box (or its equivalent) for every single use-case you have for their data. This includes profiling and big data purposes. They need to be able to select those they agree with and decline those they don’t, and you need to be able to comply and track their preferences in your systems."
6. Audit third-party providers to make sure they are compliant in their service-level agreements. 
7. "Consider where your data centers should be. Some companies are moving data centers to the EU to comply; some cloud-based database providers are able to easily discern and segregate EU data for you."

And if you won’t be 100-percent ready by May? Be sure to documentin all actions taken to build and implement your GDPR compliance framework. This will help provide evidence of your strategy and good faith for the regulators. GDPR is not demanding perfect privacy and security. According to Daniele Catteddu in another Information Week articleit’s asking for a risk-based approach to privacy.

Here's another Information Week article that provides a slightly different perspective.

Finally, says Ed Addario in yet another Information Week article, "Because of the complex system upgrades and internal process changes required for GDPR compliance, it’s safe to say that the shift will feel like a burden for IT, legal and HR teams at first. However, I see GDPR as a dose of tough love for organizations both inside and outside the EU. It serves as a forcing function for companies to modernize their data management systems, while improving how they communicate with, and relate to, their customers."

P.S. As Julie Hunt of  observes, "Third parties are extensive: payroll, marketing/digital agencies, anything SaaS, website/eCommerce management services, and so on. One phrase sticks with me: even though organizations may be controllers or processors, it's best that every org approach compliance as a data controller."

And - "US orgs are better served if they simply adopt GDPR as the 'gold standard' instead of fooling themselves into trying to manage data piecemeal, based on different regional regs. Way less mess & wasted time."

Web Analytics