Yes, GDPR Applies to You

You’ve probably seen the headlines about the EU’s General Data Protection Regulation (GDPR), legislation which will dramatically transform the way companies manage their data and security policies. And it all hits this May 25. 

Of course, it’s easy to assume that these regulations apply to only EU-based companies or perhaps global corporations with an EU reach. Many of our clients—companies that are solely based in the U.S. and have no explicit business in the EU, for example—assume they’re not affected. 

Unfortunately, this is not exactly true. Between now and May, any company with a pulse on the internet will need to make some changes. Read along to learn more about the GDPR and how it will affect your data practices. 

What is GDPR?

Here’s the short definition: GDPR is a regulation that mandates that businesses protect EU citizens’ privacy and data. This applies to any transaction that takes place within the EU, even if your company is not explicitly based the EU. It applies to your company if you process the data of a European resident. GDPR protects data such as health information, racial data, political opinions, sexual orientation, as well as all the basic details like name and address.

Of course, it’s far more complex than that. GDPR is revolutionizing consumer rights as it pertains to their personal data. Companies are now under the microscope; how they respond to this new regulation and their updated security policies will be closely examined. The consequences of sweeping it all under the rug: hefty, hefty fines. 

The challenge is that—like many laws—GDPR can be a bit vague in its interpretation. For example, what defines personal data? What’s considered a reasonable level of protection of privacy? Definitions here can get a bit murky, but we can all probably agree that these are high standards to meet and that for many companies to achieve them, it’ll require major shifts to their security policies and systems. 

A consumer’s “Right to Be Forgotten”

One more twist. GDPR protects EU citizens’ right to be forgotten. This means their right to have their personal information erased—completely wiped!—or not processed. The problem is that many large companies don’t completely understand or know where their data is stored at any given time. One ZDNet article noted that just, “82 percent of organizations don’t know where their most sensitive personal data is stored, with only 55 percent maintaining audit trails for data consents, collections updates, and deletion.” 

What GDPR means for U.S. businesses

There are several roles that could be responsible for meeting GDPR requirements at your company. For example, data controller, a data protection officer, or really any role that defines the protection and use of data could be held responsible. Also, if you use a third-party data processor, they could be held responsible for meeting GDPR requirements.

Not sure who carries the burden? It’s time to figure it out, unfortunately: the regulation requires that a data protection officer (DPO) be designated if your company processes a substantial amount of EU citizens’ private data.

Another area of impact is your contracts with third-party vendors. Every contract needs to spell out these new rules and new data ownership requirements. GDPR includes new requirements related to data reporting, mandates to inform customers of their rights (and breaches), processes for how data is managed and protected, plus a 72-hour reporting window for reporting hacks.

Keep in mind – this isn’t just a paperwork update. These requirements make a call to business leaders to have real conversations about responsibilities and who owns what when it comes to data. These conversations must take place before paperwork is updated. For global enterprises, that can potentially mean hundreds or thousands of contracts. 

Best practices for meeting GDPR requirements

• Designate a DPO. Assign someone within your organization ownership of implementing GDPR and taking the lead on all changes.
• Figure out your approach to data protection. Does your current policy align with GDPR? 
• Have a strategy for mobile. If employees are accessing EU citizen data from their mobile devices, this can further complicate your compliance. 
• Create a reporting strategy. This applies to not only customers but how you will report your strategy and progress to regulators.
• Define and test new processes. This includes everything from incident response to reporting to having a defined process for ongoing improvement and assessment.

We’re here to help.

GDPR is complicated—there’s no way around that. Many companies of all sizes will find themselves needing to scale their resources to meet the May 25 deadline. If you have a question about GDPR, data security or require professional assistance, let’s talk

This article was originally published on iT1's blog.