Missed the GDPR Deadline? Here's How to Recover.

You may be late to comply with GDPR’s original deadline, but it is not too late to avoid problems and penalties. According to the web site, "Inc.com", 52% of U.S. businesses are impacted by the General Data Protection Regulation (GDPR, or the Regulation). Many of these companies are late because they mistakenly believed they operated outside of the purview of the GDPR. Now, those companies are somewhere between panicked and confused.   They needn’t be, if they are able to be “business-like”, take a moment and read the writing that is actually on the wall. Over-reaction and no-action will likely have costly consequences.

First, let’s discuss the current context for the GDPR deadline with two sets of facts: One, on the day the GDPR went “live”, May 26, 2018, three countries (yes, countries and not companies) missed the May 25, 2018 deadline. Yep. It is a fact that Belgium, Greece and Hungary, three member states of the European Union, were not ready and able to enforce the GDPR when the deadline arrived.

The second fact is that the Commissioner of the European Union’s own Information Commission (ICO) claimed that during the first year, following the deadline, her Commission would take stock of the GDPR’s implementation status and progress.  With these two facts, there seems to be no reason for panic, if you are prepared to be business-like about the Regulation. More about that in a minute.

You have every right to be confused about the Regulation. Everybody is at least somewhat confused and here is why.  The failure of three EU countries to begin enforcement of the Regulation certainly creates legal uncertainty for both EU citizens and companies that do business with those three countries. The United States is certainly one that does.

·       Also, the GDPR’s most prominent source of guidance regarding the GDPR,  www.ico.uk.org, is somewhere in the process (known as Brexit) of divesting itself from the European Union altogether. Although the guidance found on ico.uk.org appears to be reasoned and even excellent, how do we rely on it since the UK is disavowing itself of the EU.  Yes, there is a lot for U.S. businesses to consider when the EU is practically shape-shifting.

So, while there is good cause for confusion, and there is little reason for panic, but only if you are business like in your actions. That means you, first, recognize that the European Data Protection Board means business, and second, avoid getting on its radar screen in a bad way. If you are not convinced that it is in your own best interests to be business like in regard to the GDPR, here are some other facts to consider:

• The European Data Protection Board (the Board) is an independent decision-making agency with legal authority to enforce the law. This means the Board is authorized to levy fines and penalties for infractions of the GDPR.  I encourage people to consider the Board as they consider the IRS, except it is much younger as an powerful government agency. If you have a formal business relationship (viz, "business like") relationship with the IRS, then will need a similar relationship with the Data Protection Board because:
• You have the choice to "not" do business with the EU, which means that by actually doing business with the EU you de facto are also choosing to play by its rules.
• The Board asserts, by the power vested in it by the European Union, that the privacy of personal data is a “fundamental right” in the EU, which gives them the legal and moral high ground should you not register and be in good standing with the Data Protection Board.
• The Commission, that governs the Board asserts that it "will not hesitate to take EU member states to court for serious cases of non-compliance". This how the Board can create a bad day for you and your organization.
• The Commission also states it will take appropriate action, including “recourse infringement actions”, which means they can cause EU businesses to stop doing business with U.S. companies that are not registered and in good standing with the Board.
• The Commission upped its profile and presence, as of July 2018, when it initiated moderately wide-scale awareness training, thereby eliminating any pleas of ignorance about the GDPR.

So, if you are among those 52% of the US businesses subject to the GDPR and you missed the deadline, don’t worry, but also do not delay. There may be much you need to do…and then again there may be very little to do...so. In either case, you are well advised if take just a moment to see what path is best for you and your business.

Here is a good little plan of action for those who wish to stay on the good side of this new law enforcement agency: Each of these steps is fairly easy:

 Find out where you stand and where you want to stand. Since nobody makes you do business with European citizens: You may determine the cost of doing so to be too high or simply unnecessary for your organization. This assessment can be conducted and documented with a letter by certain third parties that have a standing with the GDPR who will state the grounds for non-participation, or perhaps lesser participation. This would give you peace of mind at the very least.

If you do intend to conduct business in the EU or with EU citizens or EU businesses located in the U.S. or...and here is a big "or" as a supplier to an EU business, including as a supplier to a supplier (think elevator subcontractor to an electrical contractor renovating a UK-owned building located in the US), you will need to register with the Board and have your GDPR plan approved. (You may want to re-read the previous sentence.) More than most small to medium size businesses can do this for less than $5,000 in outside costs spent over a few months by using a part-time Data Protection Officer (DPO). Many of those businesses will find that trimming a few low-profit activities will result in less exposure to the GDPR and create a net gain when all is considered. This is often achieved when a business trims back certain business activities to become (in GDPR terms) a Processor rather than a Controller, or a Supplier rather than a Processor. This is similar to selling off certain assets, to benefit from a lower income tax bracket.  

Now, suppose your EU-related business activities are quite productive. If so, you would definitely need to embrace the role, a Controller, a Processor, or a Supplier, that optimizes the business opportunity. This does not mean that you have to be a large organization, or that you have to be, say, a Controller. For example, many system integrators fall right in the middle of this group and their annual revenues are often less than $50 million. It just happens that they are suppliers to many of the largest organizations in the U.S. and the EU.

Embracing the GDPR and your role, whichever you choose as best for your organization, is your best course of action. The outside cost, for system integrators, who usually are Suppliers, will likely be less than $5,000 over a few months of time and may be in the range of $20,000 for Processors and still more for Controllers. Here is an approach for minimizing those costs with the full intent to meet your full obligations under the GDPR:  

1.     Appoint a Part-Time DPO, with senior executive skills, for Approximately 6 Months at between 4 and 8 hours per month. This is best done by contracting with a former CIO, CISO for a nationally prominent organization who is well versed in data privacy laws such as GDPR, California Consumer Data Privacy Act and similar. You can find such part-time technical executives, available for short-term engagements, at such organizations Fortium Partners, B2B CTO, Ingram Micro Professional Services and Prosum. Consider this DPO to be your CPA for cyber security issues and expect to receive leadership, not specific device configurations.

2. Determine if and how you might optimize your organization's role in regard to the EU and the GDPR: As a Controller, a Processor, a Supplier, or None of the Above.

3.     Clarify Your Company’s Data and how that data is sourced, shared, used and where it is stored. This is especially important in regard to personal information, as defined by GDPR. It may also be important in regard to other applicable privacy laws such as California Consumer Privacy Act of 2018, the New York Data Security Act, or applicable security frameworks . This best done by creating a Data Map under the guidance of your DPO.

4.     Clarify Your understanding and Awareness of the Personal Information Your Organization Touches. Use the Data Map to clarify the legal basis for the use and sharing of such Personal Information, as well as identifying any geographical boundaries crossed as part of the sharing and use. Use the Map to also clarify applicable notifications and rights of control over by the data subject (i.e. the person to whom the personal information applies) over that data which is personal information.   .

5.     Empower Your Data Subjects to Control and Manage their Own Data. This is best done by starting with your public-facing web site and improving functionality for notifications, deletions, corrections, portability, information about how personal information is used and shared by your organization.

6.     Use the Leverage You Possess to Optimize Between Compliance, Operations, Revenue and Other Financial Considerations. This is best done by having your DPO engage with your CFO, sales and marketing leadership to establish both interim as well as staged course of action in regard to progress toward compliance with the GDPR.

7.     Identify and Implement a Reconciled and Clear “Tone at the Top” for Your Company. This is best done by having your DPO discuss with your senior management the difference between privacy for privacy's sake and lax governance over the use of a data subject's personal information that might or does enable the misuse of that information against the data subject, himself or herself, and for the exclusive or disproportionate benefit of other parties.

8.     File Your Company’s Your Company’s Compliance Plan. This is best done, by you DPO and the EU local representative to the Board, as part of a 2 or 3 year plan that focuses first on the less expensive data protection measures and schedules the more costly measures that enable budget planning.

Don’t panic and don’t let confusion cause to lose customers and create IRS-like compliance problems. The cost of establishing a standing with the Board and the Regulation is likely to be much less than doing nothing, if you wish to do business indirectly or directly with European citizens or businesses.  

Special End Note: The Regulation is not at all “privacy for privacy’s sake”. The purpose of the Regulation is simple and as American as apple pie. The Regulation attempts to assure that the information about any individual persons health concerns, financial issues, personal beliefs, DNA-driven attributes and behaviors, cannot be used against any one or more persons, without each person having a chance to prevent such adverse activity. This means that important services (e.g. loans and financing) and access to other benefits (e.g. healthcare or a home in a desirable neighborhood) cannot be withheld from any one of us without our knowledge and our having a chance to prevent such use, just because that information happened to be found available on the Internet. 

 For more information, call 310 418 7322, or Ingram Professional Services (Ingram customers only)