With trade between the US and the European Union topping $1 trillion a year, the chances are that, if you are in business, you are in business with Europe. And, in the process of doing that business, it’s likely that you need to collect and store customer data. If that is the case, not only do you need to be aware of GDPR, you need to be taking actions to ensure you are compliant.
GDPR stands for the General Data Protection Regulation, which is due to come into force in May 2018. In the past, Europe has always been a bit more regulated about customer data privacy than the US, but now the EU law is going to impact US companies because it extends its reach. The extra-territorial coverage means that a US company will have to comply with GDPR requirements in the same way as an EU company, from the moment it touches personal data with origins in Europe.
What if you don’t bother? Well, the proposed penalties for failing to follow the new regulations stand at a minimum of €20 million, or between 2% or 4% of annual turnover. And, the responsibility for the implementation of GDPR, reporting serious data breaches and bolstering an organisation’s cyber security, may ultimately fall on the shoulders of a company’s directors and officers, who can be found personally liable. So that’s a bit of a wake-up call then!
How can you be ready for May 2018, when the GDPR comes into force? First of all, you need to know the key elements of the regulation that might impact you in the US. To start with, the regulation states that all data collected by companies or organisations requires full, unambiguous consent in order to ensure the rights of all EU citizens. If using consent as the mechanism for transfer of data to the US, privacy policies and procedures need to take into account a range of new EU citizens’ rights that apply to data transferred to the US. These rights include the right to data portability, the right to object to profiling, and rights to rectify or delete collected personal data. In addition, parental consent is mandatory before accessing EU children’s personal data. EU citizens have the right to have personal data erased, and companies that experience data breaches have a duty to notify customers promptly (heads up, Uber – telling people a year later is not enough).
Not only this, but US companies have to ensure that data transferred across borders is managed safely and securely. EU-US data transfers are still considered an international data transfer, and as such they are governed by specific conditions and requirements. US companies can only use the data that has been transferred if they meet the test of adequate protection (by subscribing to the EU/US Privacy Shield) or have consent, use standard contractual clauses, binding corporate rules, or EU-approved industry codes of conduct.
Perhaps the best way to address this is for US Companies to conduct a data audit that determines what data flows are coming from Europe and to make sure that these data sets are collected and processed in accordance with the regulation. In some cases it will be necessary to appoint a designated data protection officer – for example if you are a public authority, if you carry out large scale systematic monitoring of individuals (such as online behaviour tracking) or if you carry out large scale processing of certain categories of data. But even if these specifics don’t apply, it would be wise to make sure you have an individual who can understand and implement the regulation, provide guidance on compliance as well as be the contact point to resolve compliance issues.
The new regulations are an evolution of the existing framework, whilst it reduces bureaucratic obligations to the Data Protection Authorities, it reinforces the internal accountability of companies to anticipate and mitigate privacy risks when collecting and processing personal data. If you want to keep trading with Europe, you need to get ready for GDPR.