Many US companies and others worldwide who do business in the European Union (EU) have been preparing for the deadline to comply with the region’s General Data Protection Regulation (GDPR), which is May 25, 2018. By this date, virtually all companies that work within the EU’s 28-member states or gather data from them will need to demonstrate that they meet GDPR compliance standards. This means they have defined consistent processes for how personal data of EU residents related to transactions that take place in the EU is managed and protected, and how data breaches are reported.
Businesses affected by the General Data Protection Regulation specifically include:
- All companies that do business in the EU
- Companies that process the data of EU residents with more than 250 employees
- Companies with less than 250 employees whose data processing rights impact the rights and freedoms of data subjects on a more than an occasional basis, and include certain types of sensitive personal data
The type of identity information the GDPR requires businesses to protect includes:
- Name, address and ID numbers
- Web data such as location, IP address, cookie data, and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
In order to fulfill GDPR compliance, companies are also responsible for making sure that their data management vendors are in compliance. The EU considers vendors an extension of the companies they work with for the purpose of managing data breaches. This means that all contracts with vendors of this type must be updated to reflect that systems and practices have been put in place to comply with the GDPR. As with individual businesses, these vendor contracts need to define consistent processes for how data is managed and protected, and how breaches are reported.
Having a working knowledge of the standards that EU officials have for deciding which companies follow GDPR compliance is essential for all businesses active in the EU. The standards are uniform across the EU but are considered substantial by many companies who feel they will have to change the way they do business in the region due to the GDPR’s requirements. Most feel they are at a competitive disadvantage with EU companies as a result of the new regulation, according to media reports.
The cost of compliance is probably one reason for corporate dissatisfaction with the GDPR. About 68% of US-based companies expect to spend $1 million to $10 million on systems to meet GDPR requirements, while another 9% expect to spend more than $10 million, according to a recent PwC survey.
Making sure that your company’s IT and security staff know everything about how data is collected and stored is an important first step in both protection and GDPR compliance. The EU defines the roles of those responsible for compliance as being the data controller, data processor, and the data protection officer. The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply.
After your company’s data protection controller, data processor, and data protection officer have defined how data is gathered and stored, they can create a strong process for data protection, and detail that in company policy. This information can then be included in all new contracts with vendors.
Taking those steps will put your company on the important road to GDPR compliance -and not a moment too soon, considering the fast-approaching deadline. Those companies that don’t comply with the regulation’s internal and external requirements will be at risk of being charged EU regulatory non-compliance fines, which have historically been steep.
While it may take an effort to achieve compliance, there really is no downside to meeting GDPR compliance standards. By being proactive at the level the EU requires and by paying attention to all the details of data protection, you are strengthening your business and keeping it safe from dangerous data breaches.