The countdown is on. Only 50 days left until the UK’s General Data Protection Regulation (GDPR) goes into effect on May 25. Replacing the current Data Privacy Directive established in 1995, GDPR will still focus on the overall goal of protecting the data of EU citizens in an increasingly data-driven world. While both directives seek to accomplish similar goals, major changes come with the new regulation, including its jurisdiction, hefty fines, and the rights of data subjects.
GDPR and The U.S.
So what exactly is GDPR and how will it affect organizations outside the EU?
Simply put, GDPR aims to protect EU citizens from privacy and data breaches around the world, according to its official website. Under the regulation, citizen data refers to any information that can be used to identify an individual. Of course, this list includes the standard data points like name and address, date of birth, and phone numbers, but it also covers information you wouldn’t typically consider, such as photos, IP addresses, social media posts and medical information.
Although GDPR solely protects the data of EU citizens, the regulation spans far outside European borders. Perhaps one of the biggest changes – and the reason U.S. organizations should be preparing accordingly – is GDPR’s reach. No matter a company’s location across the globe, if it processes the data of a single EU citizen, it must comply with the regulation. With fines of up to 4% of annual global revenue or 20 million Euros – whichever is more – at stake, many U.S. organizations are reconsidering their presence in Europe. According to a PwC survey, 54% of respondents noted they plan to de-identify European personal data to reduce exposure, while 26% intend to exit the EU market all together.
How seriously is GDPR being taken?
In preparation for the big day, which is rapidly approaching, companies around the world are ramping up. Out of 200 respondents from the aforementioned survey, 54% reported that GDPR readiness is the highest priority on their data-privacy and security agenda, and their allocating the appropriate budgets to ensure conformance. To avoid the hefty fines, 77% of U.S. multinationals plan to invest $1 million or more to ensure their environments are in compliance. Additionally, for those who have begun or completed preparations, the most-cited initiatives are information security, privacy policies, conducting a GDPR gap assessment, data discovery and third-party risk.
A few helpful tips for GDPR
One of GDPR’s requirements that sticks out to organizations and compliance professionals is the right to be forgotten – or Data Erasure. This entitles individuals the right to have a data controller erase his or her personal information from their systems. To do so effectively, it’s crucial to understand where and how all data is being transmitted, stored, and processed within the organization. If you don’t know where all of an individual’s data is located, how can you delete it all?
The first step organizations need to take in preparing for GDPR is to conduct a full assessment. This includes determining how your company collects data, what’s being done with it, where it’s going and where it’s being stored and processed within your environment. This can be done internally by the Compliance or Internal Audit teams or by having a third-party do so for you.
Another GDPR requirement that companies may not have fully considered is the need for a Data Privacy Office (DPO) and what that truly looks like. While a DPO can be appointed within your company, there’s an extensive amount of training required before a person can be considered competent to fill that role. If an auditor determines your appointed protection officer does not have the proper credentials, the adequacy of your Data Privacy Program can come into question.
Finally, companies are obligated to fully document their compliant environment and be able to present it upon request. Fostering a data privacy culture within your organization is essential to achieving and maintaining consistent compliance. When the organization as a whole is committed to the regulation, your chances of being found non-compliant and subsequently fined are significantly reduced.
Although many companies have made significant strides to meet the requirements of the upcoming regulation, there is still work to be done. I believe the rules and ramifications of GDPR will send a shock wave and message to other countries around the world of the importance of data security. As this ruling takes affect soon, it’ll be interesting to witness the response from other regions of the world as to if or how they implement protections over their own citizens.