GDPR Compliance for Companies in the United States
GDPR regulation affects every worldwide company that does business in the EU or has customers in the EU. The GDPR or General Data Protection Regulation protects all European Union data subjects regardless where they or their data are located.
Failure to comply with the GDPR has serious consequences. Your company could be be penalized for non-compliance up to around $20 million or 4% of global annual turnover, whichever is higher. Are you GDPR ready?
You will learn:
- What is the GDPR
- What are the eight main GDPR requirements
- How ready is your company
Download GDPR Whitepaper
Watch GDPR Webinar
What is GDPR?
The EU General Data Protection Regulation (GDPR) is a regulation that requires businesses to protect the personal data and privacy of EU residents for transactions that occur within EU member states.
Does the GDPR affect American businesses?
Yes, even if your company is not located in Europe, the GDPR will still affect you if you have client data for residents of the EU.
When does the GDPR go into effect?
The GDPR goes into effect on May 25th, 2018. After this date companies must have their strategies in play. Fines will be hefty for non-compliance.
What are the penalties for not complying with the GDPR?
Your company will be fined if you do not comply. GDPR authorizes penalties for non-compliance of up to 20 million Euros, or 4% of global annual turnover, whichever is higher.
Is your company GDPR ready?
GDPR goes into effect May 25, 2018. This will affect any company that stores or processes personal information about EU residents including customers, employees and prospects. GDPR applies even if a firm does not have a business presence within the EU.
The GDPR law includes:
- Companies that have a presence in an EU country.
- Firms with no presence in the EU, but ones who process data of European residents.
- Businesses that have more than 250 employees
Exempt but not off the hook:
- Firms with less than 250 employees but which gather personal information on subjects are exempt from GDPR, however this is with regard to following specific record-keeping regulations (cf. Recital 13 GDPR).
According to a PwC survey, 92% of U.S. companies consider GDPR a top data protection priority.
What happens if a company is not GDPR-compliant?
Your company will be fined if you do not comply. GDPR authorizes penalties for non-compliance of up to $20 million, or 4% of global annual turnover, whichever is higher.
Research shows that if your organization is not in compliance by the May 25 deadline, it will not be alone.
According to a survey conducted by Censuswide released in November 2017, Approx 35% of US companies do not feel prepared to meet the May 2018 GDPR compliance deadlines.
What data does the GDPR protect?
GDPR applies to the protection and processing of all data subjects, including a company’s customers, employees, and prospects.
The following information will be protected by the law:
- Identity information such as name, address, and ID numbers
- Web data such as location, IP address, cookie data
- Health and genetic data
- Sexual orientation
- Biometric data
- Racial or ethnic data
- Political opinions
Data processors, as well as data controllers have an obligation to comply with GDPR. If you own a web-based company, you will have to define responsibilities and liabilities among your partners.
Take these steps to comply with the new GDPR regulation.
Step 1. Hire experienced privacy professionals.
Does your company have the staff skilled at ensuring privacy controls and locating data throughout the organization? If not, you should hire experienced privacy professionals and recruit and train a data protection officer, or outsource to a data consulting firm.
Some companies may need to pull in people from many areas of the business, to coordinate with project managers across the organization to make sure the right processes are implemented.
Step 2. Establish a track record of compliance before May 25, 2018.
If your company is a large one, you should begin immediately to reinforce the implementation of information security controls and technologies. These include automated IT security monitoring, testing, and measuring. Your company should be able to provide detailed documentation to prove compliance.
Step 3. Know where your consumer data is.
Determining this may be one of the most challenging tasks associated with getting ready for GDPR. Some companies simply do not know where all their consumer data are.
Your company will want to create a comprehensive catalog of all your organization’s data, including development, test, production, data warehouse, and backup systems. You need to have a sophisticated level of automation to handle this including logs of read, write and delete access, and then regular reporting to the Chief Protection Officer from these logs.
Step 4. Be able to analyze risks for the data you hold.
The privacy professionals in your firm will need to determine which data are at risk and which practices and technologies will reduce those risks. If you are a company that is processing the data of many thousands of EU data subjects, you will be expected to implement stronger measures to protect this data than a business processing only several dozen subjects would be. When your firm reduces its overall network risk profile, you will also decrease your chances of a data security breach.
Step 5. Data governance teams need to strengthen metadata management and data lineage capabilities.
Data lineage is critical to GDPR. Your privacy protection team needs to be able to determine where this protected data came from and where it is going. Use the metadata management tool to control who has read, write and delete permissions. The metadata management tool can link permissions to each column and internal user. You also want to reduce the time it takes to get data out of “quarantine” and into use. It would benefit your firm to be agile and ready for any additional regulations that will follow. To meet these needs, the metadata management tool will identify and control access to GDPR-affected data, mainly PII.
Step 6. Integrate your ability to tag personal data directly with data access and masking tools.
If your information is “Personal” or “Sensitive” or is an item that needs to be protected under GDPR, it should be de-masked, de-identified, or have access restricted. This process should be done via automation.
Data masking reduces the exposure of sensitive data within an organization. The data masking protects it while at the same time maintaining its usability. Data masking replaces real data with fictitious data so that it can be used safely in situations where actual data are not needed.
GDPR views data masking as a way of protecting consumers’ privacy rights while letting data controllers use collected data for other purposes.
GDPR gives us a great challenge of balancing between data democracy and data protection. As firms we would like to get the most out of our data and have it fully available, however GDPR requires that organizations practice data minimization. For example, a life insurance company may collect personal information to issue a policy. Later the firm may decide they want to analyze this data collected from their clients to improve the pricing of policies. But they would not be able to do so because the data collected for one purpose (e.g., writing a policy) cannot be used for a new one (e.g., to analyze pricing). However, if the information is anonymized via data masking, then they could use the masked database for pricing analysis.
Step 7. Be able to show consumer consent for data collection and processing.
Individuals must permit that their personal data be collected. GDPR requires that companies give individuals notice of collection and that the individuals have a chance to give permission before data gathering begins. The GDPR is designed to reduce risk to consumers and to allow them more control over their information.
The GDPR brings new requirements for all forms of direct marketing, including:
- Strict consent for all direct marketing campaigns
- A consumer’s right to be forgotten, affecting the way marketers store data
- Proof of consent, stored in a way which makes it easy to access
8. Ensure your internal privacy controls are effective.
The security practitioners in your company need to design and implement a wide range of internal controls that provide structure to how your data are stored, managed, transmitted, and destroyed. You need to take steps to make sure that your internal controls are working well. These may involve using advanced cyber security methods and designing new firewalls for your information.
9. Make sure the data you store is portable.
The GDPR requires personal data to be portable from one company to another. Your business must be able to manage data that are shared across multiple platforms or vendors. If a customer wants you to transfer their personal information to them, you need to be able to do so.
10. Be able to erase personal data when appropriate.
This will support the part of the regulation that includes “the right to be forgotten,” when individuals request that a company remove their data from its database. If an individual withdraws consent to having their data stored, companies must delete it.
A key objective of GDPR is to keep personally identifiable information private. According to Solix Technologies, nearly two-thirds (66 percent) of survey respondents say they are unsure if they can erase an individual’s personal information by the GDPR deadline. Many organizations have no process for tracking and documenting all their data and data flows. A solution would be to identify PII in the metadata manager, identify PII associated with a specific user, then delete all corresponding data.
11. Recognize and report a data breach.
Any company that experiences a data breach is required by the GDPR to give individuals affected notice of this breach within 72 hours. This new law gives companies increased incentives to avoid a breach.
Firms will want to implement advanced risk management techniques to guard against hackers.
These include:
- Identifying potential external and internal threats;
- Understanding the company’s data targets and their appeal to attackers; and
- Staying up to date on the range of tactics hackers may use.
The GDPR also requires performing impact assessments which is a requirement intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
12. Make sure your third- party partners are GDPR compliant.
If your company is a web-based company, you will have to make sure that the third parties you use are GDPR compliant. If your firm has many third parties, your business needs to have expertise in legal issues, vendor management, and risk management to create new models for engagement between the platform partners.
Your company will want to identify, monitor, and audit third-party providers. You will also want to test security systems and processes at regular intervals.
Next Steps
Contact us to assess your data compliance strategy and answer your GDPR questions.