GDPR Compliance for US Companies: Why You Should Care
What is the GDPR?
The GDPR (or General Data Protection Regulation) is an effort from the European Commission and the EU to ensure that EU citizens’ personal data is handled in the appropriate manner by organizations who hold their data. Some are calling it an effort to give citizens’ back their right to manage their own data. The GDPR adoption should therefore result in protections for European citizens personal data and the means for citizens’ to have portability of their data. The important takeaway here is the the General Data Protection Regulation is designed to ensure that consumers as well as companies know that their data is secure.
The GDPR document has 173 recitals and 99 articles. The recitals give explanations of the law in more of a vernacular, so that (and this is the goal here) almost anyone can understand them.
What about non-EU countries?
This question comes up a lot, and is one that must be addressed. If you’re a U.S. based organization, GDPR compliance may very well be necessary for you. Multinationals will have to care because they often have EU citizen data and some presence, you could be subject to a class action lawsuit if you lose that data.
Article 3 of the GDPR says that if you collect personal data or behavioral information from someone who is in an EU country, then your company falls under the GDPR compliance requirements. The GDPR applies to any business that stores personal information of those in the EU, so it doesn’t just apply to those companies who have locations or employees in the EU. If you sell products in the EU and have customer data, lead data or payment information of those who are in the EU, you must scope GDPR compliance for your organization.
For example, you have marketing for your organization, and your marketing department fuels lead generation so that those leads can become customers. Each lead they generate contains personal data or personally identifiable information (PII) that makes that organization fall under the GDPR regulation.
Who are some high-probability U.S. sectors that fall under the scope of GDPR? Hospitality, travel, software, e-commerce.. these companies have to take a closer look at their online practices that generate paying customers. Any U.S. company that has a market in any EU country needs to review how you’re generating and handling that data.
The GDPR Timeline… and the Fear, Uncertainty, and Doubt of It All
Many organizations are asking: will the deadline have a grace period? The answer is no. In fact, most people don’t realize this because they haven’t researched the history of GDPR, but if they had, they would realize that the timeline already accounted for a grace period. In 2015, the text for GDPR was written. The next year in 2016, the GDPR requirements were adopted bu the EU Parliament. The same year in May, the regulation was made into law and the grace period of two years began. Therefore, if your company falls under GDPR you’ve had two years to comply to the GDPR requirements already, and your time is up. This May 25, 2018 deadline isn’t just a deadline that has no enforcement - real GDPR enforcement will begin once this date hits. Key takeaway - DO IT NOW.
What are the GDPR Requirements?
There are several high level aspects of GDPR: consent, large fines, appointing a DPO, protection by design, and others. For your company to get ready for the General Data Protection Regulation that becomes active May 25th, 2018 (this month, people!), you need to review your existing security measures and frameworks with tenacity. The GDPR requirements aren’t as complicated as other frameworks, because there’s room for flexibility. But, like any framework or standard, it’s a lift to implement, a culture shock to many companies, and most of all.. one big lesson on how to be accountable for personal data.
The headlines seem to rotate around a handful of GDPR requirements: the “right to be forgotten”, your new 72-hour breach reporting timeframe as well as more robust consumer consent or “opting in”.. and let’s be honest, you’ve probably heard about the high GDPR compliance fines and monetary ratifications more than just a few times.
The 72 hour timeframe within which you must report a data breach to the DPA is a big undertaking for many organizations. For most organizations, it can take a couple of months to discover the breach, document what happened, and get to the bottom of how it happened in the first place. You’re required to know all of this data when you report your breach to the DPA - this means that you’ll likely need to do some technology solution shopping to shorten your detection, incident response, and recovery planning cycle.
GDPR is meant to be “tech neutral”, meaning that it’s flexible to what you have in place and will let you choose the tech of your choice to meet key objectives. This fact is kind of helpful in that it simplifies it for you - you spend what you have to spend but you have the choice of implementing what you need to, how you need to in order to prove your handling the data correctly.
GDPR will drastically change how you approach data. Not only must you as an organization provide a notification to each country’s representative that you sell to within three days of a breach, but you must also know the complete details on what citizens’ data was effected and how. The issue with this is that most people deal with breaches after the fact, and they bring in investigative teams to do important work. It can take two months to figure out what happened after a breach - now it has to take much shorter of a time span to adequately report your findings back to the DPA. Security teams will be effected radically by the GDPR because they have a set of processes and outside vendors that they use regularly. This regulation ultimately reengineers their processes. Companies are looking for new approaches, whether through tech or procedure, to align themselves with a shortened time frame of incident response and reporting.
But what breaches need to be reported? A breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” are required to be reported. If the EU personal data that was exposed can cause “risk to the rights and freedoms” of EU data subjects - this includes credit card data and other sensitive personal identifiers - then the breach needs to be reported.
Appointing a DPO, or Data Protection Officer, is critical to achieving GDPR compliance if you’re a company in the EU. Any company in the EU in some form or fashion should have a DPO who talks to company representatives when an incident does happen. In a sense, they are the crisis managers who also act as public faces of your company on customer data and how you handle the data you gather. You should make sure that your company continuously assesses where you keep your information, as data may move from place to place, and threats are constantly evolving.
Another key requirement is making sure that customers or those who know their data is stored in your systems can request to be forgotten, or move out of your system in entirety. This part of the GDPR is important because it
The Consequences of Staying in GDPR Denial
The GDPR regulation introduces significant fines to those who prove to be non-compliant after May 25th, 2018. If you don’t report a qualifying breach within 72 hours, you receive the first tier of fines which is 2% of global revenue or €10M - whichever is more. The higher 4%, or €20M (also whichever is greater) is for non compliance and further that has received more press attention.
CyberStrong makes rapid GDPR compliance within reach for organizations of any size. Whether your company is a small business that stores EU customer data, or you are a large multinational, CyberStrong makes cyber and data compliance much easier to tackle.