Enterprises that collect or process European citizens' personal data are bracing as the European Union's General Data Protection Regulation (GDPR) enforcement date, May 25, 2018, approaches. Intended to bolster and consolidate protection of personal data for all EU citizens, enterprises that violate these new regulations can expect penalties such as a written warning from the EU commission, the loss of certifications and/or a mandatory data protection audit.
To counter increasingly frequent and serious infringements like a security breach or loss of records, companies face fines of 4 percent of their annual worldwide turnover, or approximately $22 million; whichever is greater. To put that into perspective, for a major company like Google, violating GDPR could result in a fine of $4.39 billion, which is based on its annual revenue.
With the deadline rapidly approaching, businesses need to conduct impact assessments to determine what steps are needed for compliance. This will require decision-makers to take a hard look at their organizations and identify a course of action for revising their current infrastructure, policies and third-party agreements. To take this type of methodical approach, the firms must understand GDPR and the implications for business operating in and out of the EU.
Who is subject to GDPR?
According to the EU's GDPR website, protected data entails "... any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person." While this may apply only to the data of EU citizens, it also applies to any organization that handles their data, regardless of geographic location. This means even businesses based in the United States or Asia must be capable of handling privacy-related requests from customers or clients within the European Union. Specifically, GDPR applies to businesses that operate as a controller or processor.
Businesses that control personal data are responsible for its processing and security under GDPR. These entities, like general practitioners or tax authorities, collect personal data such as names, email addresses and the location of European citizens.
Working on behalf of controllers, processors are responsible for processing the personal data of citizens. A payroll company or cloud service provider, for example, that is contracted to provide a particular data service is considered a processor.
Enterprises must adopt and adapt
In order for an enterprise to establish privacy principles that meet the standards of GDPR, it must understand and organize sensitive information to meet the guidelines for data management. Here are several steps businesses can take to ensure their organizations are ready to comply with GDPR:
- Assess the Situation: Identify whether your firm is a controller or processor, and identify what data you handle. If your firm is a controller, it is liable for the actions taken by its processors. If your firm is a processor, it must understand GDPR guidelines and ensure that your agreement with the controller is in compliance.
- Determine a Course of Action: An enterprise's leadership must understand its requirements under GDPR and develop a roadmap to compliance. This should include identifying processors, developing and clearly articulating updated privacy policies, and incorporate a system for gaining explicit permission in the collection and use of data. Though public enterprises are required to appoint a data protection officer (DPO), it may be wise for private enterprises to consider this as well.
- Crisis Reaction Plan: It is important to understand that breaches may still occur, and enterprises are legally obliged to alert the regulatory authority within 72 hours of detection. Enterprises are required to demonstrate adherence to data protection guidelines and should be prepared to provide all relevant documents.
- Adapt to the New Standard: This is the first regulation to be signed into law that affects all EU citizens equally, as well as carry such significant international implications. Due to the far-reaching consequences of GDPR infringements, it is prudent for enterprises to build-in compliant data protection organization-wide. This will mitigate operational error when conducting international and domestic business, while saving time and resources in the long-run.
GDPR poses a complex challenge that wields serious enforcement authority for enterprises. As we approach the May 25 deadline, GDPR compliance should be a priority for all businesses conducting business with Europe. While compliance will allow companies to avoid massive fines, it is also an opportunity to strengthen security protocols. Businesses should use this opportunity to show customers and the public their concerns do matter and actionable steps are being taken to safeguard their data.
Erik Severinghaus is a compliance expert at SpringCM.