The deadline for compliance with the European Union's (EU) General Data Protection Compliance Regulation (GDPR) is approaching fast. By May 25, 2018, all companies that do business in the EU, process the data of EU residents, and have more than 250 employees must show that they are taking substantive measures to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
The GDPR also regulates the exportation of personal data outside the EU and affects companies with less than 250 employees whose data processing rights impact the rights and freedoms of data subjects on a more than occasional basis and include certain types of sensitive personal data.
Essentially, any company doing business in the EU's 28-member states or utilizing the data of EU citizens is subject to the regulation's standards. Understanding how to meet these standards is particularly important for US businesses and others worldwide that operate internationally – specifically those with customers in the EU. In addition, all data processors and data controllers that work with these businesses must be in compliance – the reasoning being that if your vendor is not in compliance, then your company cannot be in compliance. So, all contracts with vendors of this type must be updated to reflect that systems and practices have been put in place to comply with the GDPR. As with individual businesses, these vendor contracts need to define consistent processes for how data is managed and protected, and how breaches are reported.
While GDPR standards are considered high, they are uniform across all EU member states – so initiatives can all meet one standard. However, a recent report by Ovum found that about two-thirds of US company officials feel they will have to rethink their strategy in Europe due to system and business practice requirements, and nearly 85% feel the GDPR is putting them at a competitive disadvantage with European companies.
About 68% of US-based companies expect to spend $1 million to $10 million on systems to meet GDPR requirements, while another 9% expect to spend more than $10 million, according to a recent PwC survey. The type of basic identity information companies must now protect includes name, address and ID numbers; web data such as location, IP address, cookie data and RFID tags; health and genetic data; biometric data; racial or ethnic data; political opinions; and sexual orientation.
The first step in protecting data is to make certain that your company's IT and security teams understand how it is stored and processed. The GDPR specifies the roles that are responsible for ensuring compliance as the data controller, data processor, and the data protection officer. The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
Once your team of professionals has worked together to gather the necessary information for GDPR compliance, they can then agree on a compliant process for reporting, articulate that in a new policy for the company, and include it in new contracts with vendors.
Companies that do not take these steps internally and with their data management vendors by the May 25 deadline are at risk for being charged EU regulatory non-compliance fines, which historically have been steep. However, there is little need to place your business at risk of GDPR non-compliance. With careful attention to detail and proactive initiatives, companies can meet the GDPR standard and at the same time know they are protecting customers and their own business by making all less vulnerable to data breaches.
At DAS Group, we are aware of the GDPR requirements and are ready to ensure we advise our clients to ensure they are also taking the necessary measures. It bears repeating that compliance is required by all companies with customers in the EU as well as by all vendors who have clients with customers in the EU. If you have questions about meeting GDPR compliance, contact DAS Group. We are happy to discuss your concerns and help your brand ensure compliance.