As the launch of the European Union’s (EU’s) new General Data Protection Regulation (GDPR) draws near, businesses that have not already prepared are now scrambling to ensure compliance before the May 25 deadline.
You may be wondering “I’m in the United States, so this regulation shouldn’t impact my business, right?” Not necessarily. The answer to that question depends on whether you do business with people or companies that are located within the European Union. If yes, then this article definitely applies to your organization. And, if your answer is no, it’s still important information to stay abreast of in case the U.S. decides to adopt similar legislation in the future.
But, what do you need to know to ensure that your company meets the new regulations? We previously posted a GDPR compliance checklist of things you need to know about GDPR. Now, we’ve put together a list of key things to do to prepare your business to meet the new regulation.
1. Review Your Company Policies, Procedures, & Contracts
The ball was set in motion to create this regulation because of the alarming increases in data breaches and cyber crimes that have taken place in recent years. The regulation outlines how personal data and personally identifiable information (PII) of “data subjects” (EU citizens) are handled by businesses. The goal of the regulation is to standardize previously inconsistent processes that have historically varied between EU member states.
Under the new regulation, the rights of data subjects are guaranteed, which plays a deciding role in how companies are allowed to collect and store customer information. This means that your legal team (or a business or telecommunications lawyer, which is definitely recommended) will need to review your existing policies and procedures to determine whether any changes need to be made to ensure compliance. Your team also should review contracts with any other companies or organizations with which your organization shares customers’ personal information.
No matter whether your organization is a business or nonprofit, it will be subject to follow the rules of GDPR once it has launched. Otherwise, according to Article 83, your organization may be subject to fines due to infringement or noncompliance. These fines can include administrative fees of up to 10 million euros or “up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
In some cases, the fines can go as high as 20 million euros or “up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
2. Perform a Data Audit to Gain Greater Data Visibility
It’s important to note that the data your organization already has in its possession is NOT grandfathered in by any protective clauses; it’s subject to the same rules as newly collected data. To understand what types of personally identifiable information and data your data has available, your organization will need to document: 1) the types of data your company possesses, 2) where the data originated, 3) with whom it’s shared, and 4) how it’s shared.
To do this, you’ll want to start by reviewing the following:
- What types of data you have;
- How all types of personal data of the data subjects are collected, handled, and stored;
- Where the types of data are stored;
- For what purpose the information is being collected and used;
- Who is responsible for retaining and deleting the data;
- How long is the data to be stored; and
- How data is shared with other companies or vendors.
3. Open Channels of Communication with Customers
According to a 2017 survey by Gigya, 68% of consumers “don’t trust brands to handle their personal information appropriately” and 31% believe that brand privacy policies have become weaker. On the heels of Facebook’s recent lax privacy protocols controversy, it wouldn’t be surprising to see those numbers continue to rise.
However, it doesn’t have to be that way for your clients and their perceptions of your brand — so long as you take the appropriate steps to ensure their information is protected and that it is used only as they are informed it will be. This involves opening and maintaining open communications with your customers to inform them in a concise and transparent manner about their data and its usage.
According to Article 13, when obtaining any personal data, you must inform the data subject about each of the following:
- Who will be using it—and, provide their contact information;
- How the information will be used;
- The legitimacy of the data processing;
- Who will receive the information;
- If the personal data will be transferred to an international or foreign third-party organization;
- How long the information will be stored;
- Their right to erase their data, or to take advantage of any processing or portability restrictions;
- Their right to file a complaint with authorities;
- Whether their submission of personal data is a contractual or statutory requirement (and any consequences of failure to provide said data); and
- The existence of profiling and automated decision-making (as referred to in Article 22  and ).
Additionally, in the event of a data breach, the data subject needs to be informed about the situation. According to Article 34 of the regulation:
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
It’s important to note that “without undue delay” is nebulous and doesn’t actually specify a particular amount of time to notify affected consumers. However, Recital 85 of the regulation does specify that as soon as you’re aware that a data breach has occurred, you must:
“notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
4. Limit Employee Data Access and Provide Training
Although this is considered a standard cybersecurity best practice, limiting which employees have access to personal data (and how much access they have) is also a good way to help reduce the risk of data use abuse and GDPR noncompliance. Additionally, training them to understand proper data usage is key to ensuring personal data remains protected.
After all, your employees serve as both critical components of your organization’s cyber defenses as well as the people who collect, use, and maintain the PII of customers and prospects. As such, you need to ensure that every one of your employees — everyone from the top down — understands the risks and how their actions impact data security.
5. Document EVERYTHING
To be in compliance with GDPR, your organization must maintain complete and comprehensive written documentation about how personal data is processed. Should a company neglect to maintain these records or provide a complete index to authorities, they will be subject to fines of up to 10 million euros. However, each case will be viewed on an individual basis and authorities will “consider the special needs of the smallest companies as well as small and medium companies in the application of this regulation.”
What else are you doing to prepare your business for GDPR Compliance? Share your thoughts in the comments section below or send an email to speak with me about how we can work together to prepare your business for the GDPR launch.