If you are a US business that just started thinking about how to prepare for the General Data Protection Regulation (GDPR), time is running out.
When the sweeping European Union (EU) legislation goes into effect on May 25, entities that process the data of European citizens are subject to a slew of new rules, which include enhanced data subject rights, guidelines for handling data, simplified and strengthened consent, mandatory breach notifications and increased protections for children.
Organizations in breach of GDPR can be fined up to 4 percent of their annual global turnover or €20 million (whichever is greater).
In order to be fully compliant, you’ll need to spend some time and money, but there are some things you can get started on right away.
- Determine if the GDPR applies to you. The short answer is that it probably does. Most large companies are bound to have some European customers. It gets trickier for smaller businesses and enterprises, and misconceptions abound, but any business that has even one European citizen, regardless of where they reside, in its database is expected to comply.
- Audit your processes and be able to map the location of all the personal data you’ve collected. Ask these key questions: What kind of user information are you collecting and how are you storing it? Are you able to easily pull up a data subject’s record on request? Delete it on request? Are you asking for consent for using data? Are you keeping a record of that consent? GDPR compliance requires that you do all of the above, and more. Get a baseline view of your operations so you know where you’re starting.
- Position your company as privacy-forward. Even if you are adopting a wait-and-see approach to GDPR enforcement, it’s just good business sense to make an effort to comply. Many brand experts believe that GDPR will usher in a badly needed attitude shift in marketing and that it will eventually benefit your bottom line to be seen in compliance with GDPR and other privacy laws. Simple efforts like publishing white papers or participating on panels about privacy subjects can bolster your brand and signal to your customers that you are serious about protecting their data.
- Hire a data protection officer. This relatively new personnel role is tasked with much of the heavy lifting in terms of making sure an entity is compliant. Companies in EU member states are required to have one. The International Association of Privacy Professionals (IAPP) has estimated that as many as 75,000 DPO positions will be required across the globe. If your company is too small to justify the cost, consider contracting someone with a legal and security background to advise you.
- Look at your partners. Under GDPR, you are liable for third-party processor breaches. So be ultra-aware of your partners’ histories with data and privacy. Look for vendors that proactively promote their privacy initiatives.
- Keep an eye on your competitors — and enemies. Investigations into GDPR breaches and enforcement against entities will likely be triggered by reports of noncompliance. This process could leave you vulnerable to malicious reports from underhanded competitors. Your best defense is to be aware and prepared. Concentrate on making sure your own house is in order, but be sure to be aware of what the “other guy” is doing, too.
- Invest in compliance tools. Tools that help businesses comply with GDPR are released every day, and we expect the pace to pick up even more. There are tools for just about each tenet of GDPR, including ones that facilitate packaging up personal data in response to user requests and ones that aid in record keeping.
- Get certified. If you regularly conduct transatlantic transfers with businesses in the EU, you are likely already certified with Privacy Shield, which replaced the less restrictive Safe Harbor agreement in 2016. US companies that self-certify are essentially making a promise that they will follow EU data privacy laws while receiving EU data.
- Don’t panic. Yet. There’s still a lot of confusion over how the rules will be applied and enforced here, and regulatory agencies such as the FTC haven’t yet announced any processes and procedures. It’s likely that until a “big fish” is found to be out of compliance, we won’t know how it will play out. Do your best to show that you are trying to be in compliance.
Stay in the know as we get closer to the GDPR deadline: Follow all of our GDPR-related news coverage here.