GDPR is a sweeping new EU privacy regulation that has extensive implications for U.S. firms too. Here’s how to prepare for it…
In May 2018, a new regulation comes into force in Europe. Many have heard of the EU’s General Data Protection Regulation (GDPR), but one thing isn’t as well known: it affects U.S. companies, too.
Any organization serving EU residents and handling any of their personal data is subject to the rules, which significantly raise the bar for privacy, and could be a rude wake-up call for many on this side of the Atlantic. For the first time, national data privacy officers can impose harsh penalties on violators. The top tier of offenders can pay the greater of €20 million, or 4% of their global revenue.
There is no U.S. privacy legislation that is recognized as equivalent to GDPR, and as such, U.S. firms must make operational, legal, and contractual changes to meet the stringent requirements of GDPR. And while many U.S. firms are familiar with data protection frameworks, such as the one from the National Institute of Standards and Technology (NIST), most frameworks focus on data access control and protection and not protecting an individual’s right to privacy or to be forgotten, as GDPR affords European citizens.
Here are six broad steps that organizations should take to prepare themselves for life under GDPR:
Audit your data holdings
A gap analysis will show where your privacy practices are lacking, but you can’t understand where you’re headed if you don’t know where you’re starting from. The first step for U.S. firms will be to assess the data that they hold on EU citizens.
Conduct an information audit to find out what data you’re holding about individuals, where you received it from, and who you’re sharing it with. Under GDPR, companies must be able to prove that they’re protecting information adequately. That includes correcting erroneous information that they provided about people to third party organizations.
Map your data processing to individual rights under GDPR
Once you understand your data landscape, explore the legal one. Many U.S. companies, lacking federal guidance on data privacy, will only have dealt with state-level legislation. Their data processing requirements will change under incoming European regulations that accord greater privacy rights to EU citizens.
Examples here include:
Consent: The GDPR prohibits consent ‘bundled’ with other written agreements, and you can’t make services contingent upon it. Methods for withdrawing consent must be simple. Children must be protected by parental consent.
Right to erasure: Citizens now have a ‘right to be forgotten’ and ask for data to be erased. If you’ve shared that data with others, you have to notify them with details of the request, too.
Right to portability: Citizens can demand that you provide their data in machine-readable format so that they can take it elsewhere. You must comply in one month.
Assess and revise your legal framework
After reviewing your data processing practices and revising them for GDPR compliance, you must ensure that your legal framework reflects it properly. General counsel must work with privacy officers to revise existing contracts with customers and business partners. Pay particular attention to contracts with service providers who process data for you (known as data processors).
Using model contractual clauses can help here. There are EU-approved legal boilerplates designed to support data transfer between organizations inside and outside of the EU. They offer an extra layer of protection on top of the European Privacy Shield agreement between the U.S. and the EU, which allows for the exchange of data between the two regions.
If you haven’t already, tagging the legal language in your contracts with appropriate metadata is a useful way to make this process more efficient in the future.
Prepare for data breaches
GDPR places data breach notification rules on affected organizations. This will be news to U.S. companies, who aside from some sector-specific requirements, only needed to satisfy some state-level breach notification laws. Now, you must keep an internal breach register and report personal data breaches to the supervisory authorities in some cases, to data subjects.
For firms conducting business in the State of New York, this approach of proactive declaration is very similar to section 500.17 of the Department of Financial Services, New York Cybersecurity Rules and Regulations (referred to as 23 NYCRR 500) that came into effect in March of this year.
Review systems design
The GDPR introduces some new concepts that may entail some rethinking of data processing systems. Under its privacy by design rule, organizations must ensure that they design privacy measures into data processing systems from the outset. It specifically mentions pseudonymizing data (that is, stripping out personal information so that people can’t be identified from their data). You may also need to adopt policies for staff when accessing sensitive data.
Expect to prove that you’ve designed systems and processes with privacy in mind. The GDPR calls for privacy impact assessments before processing data that carries a high risk of infringing rights and freedoms.
Review staff roles
Changes to your data processing go beyond the technical and the legal. Some organizations regularly monitoring data subjects or processing sensitive data as a core activity must appoint a data protection officer. This provision in the GDPR casts a wide net, covering the likes of hospitals, insurance companies, and banks.
U.S. companies dealing with EU citizens have little time to lose. Because GDPR is a regulation rather than a directive, it will apply at once, rather than allowing time for individual countries to interpret into national law. Gather together your legal counsel, software developers, information architects, and human resource managers. There’s plenty of work here for everyone.
Mark Sangster, VP and Industry Security Strategist at eSentire
Image Credit: Wright Studio / Shutterstock