Procrastination might be common human behavior but in the case of the European Union's upcoming General Data Protection Regulation(GDPR), it could be deadly to the bottom line of a large percentage of American companies. Going into effect on May 25, GDPR is the biggest change to European data protection in decades but survey after survey have been demonstrating that a distressingly sizeable number, 51% of U.S. firms with European customers either don't think these new customer privacy rulings apply to them or haven't yet implemented plans to deal with GDPR. With less than 100 days left, if you haven’t been planning for GDPR, it’s almost too late.
Various recent surveys have reported that many U.S. firms might be eligible for fines related to non compliance but perhaps a more terrifying new statistic revealed that 82% of European consumers intend to view, limit or delete personal data about them held by companies, as GDPR allows. Firms not prepared to accommodate such actions could be walloped by fines of up to 4% of global annual revenues, maxed out at £20 million.
To make sure you are not taken unawares, here are a few common misperceptions and myths about GDPR.
Myth 1: GDPR doesn't relate to my business
Any U.S. company that has data related to an EU citizen is impacted, even if it's just one customer. Currently, information gathered for tests or trials or for scientific research is allowed to be used according to GDPR but gathering companies must implement appropriate safeguards and only process the personal data necessary for research purposes. Any company storing personal information on people in the EU region must comply. This means personal data on e-commerce sites, media sites, messaging platforms, files related to health-related fitness or medical apps,— anywhere it might be stored, electronically or on paper.
Myth 2: GDPR doesn't impact me because I have no European office
Guess again. Storing EU customer data in the United States doesn't inoculate companies from GDPR oversight, even those firms without a sizeable number of European customers. Your EU customer database, regardless of its size, must comply wherever it resides, so there's an argument for storing it closer to customers. And those firms with a UK office that think Brexit makes them immune will also find themselves to be sadly mistaken; GDPR covers the entire region, regardless of Brexit. UK-based firms need to choose a lead regulator in the EU as part of compliance. The UK regulator may not be deemed to be an ‘equivalent’ regulator post Brexit even though the UK will draft GDPR into statute before Brexit.
Myth 3: I can pick the "regulatory authority" that aligns best with my business.
Alas, no you can't. However, GDPR has a “one-stop-shop" compliance framework in which regulation takes place in the country containing a "main establishment." Companies need to choose the location, but companies can’t just choose the data commissioner they like the best. They need to have the ‘minds and management’ for the data protection in this location. GDPR data commissioners want companies to be GDPR complaint so, working with the data commissioner makes sense.
Myth 4: If I start now, there's still time to be 100% compliant with GDPR before May 25
Given the scope of the GDPR ruling, this seems unlikely -- although launching an immediate compliance program should still be an unalterable goal rather than playing Russian roulette. Getting consumer consent for all a company's EU customer data is quite a massive undertaking, particularly considering the high volume of such data likely to need fresh consent. Then there are nightmare scenarios like a breach in a network with thieves grabbing un-consented consumer data. The fines would apply if you have not made every attempt to lock your network down beforehand. At this late stage in the game, the best plan is to get professional support if only starting now. There are plenty of good readiness and analysts’ frameworks out there with detailed steps to follow.
What to do next
With GDPR just weeks away, companies should look seriously at GDPR and consider the best options. An ounce of prevention might prevent potential fines. In reality, many companies are unlikely to have all the bases covered by the deadline. A Gartner report stated that even by the end of 2018, more than half of companies impacted won't actually be in full compliance with GDPR requirements.
Here are the most important steps to take now:
- Perform a data audit - This involves knowing what European customer data exists in order to be better able to put comprehensive measures in place to protect it.
- Get smart guidance - Seek help from experts in the field.
- Appoint an internal data protection officer - Such a person might also have other duties but it's critical to have a driver and monitor of your GDPR compliance program. In fact, some companies are creating information governance teams to work with the Data Protection Officer.
- Understand GDPR's customer rights and have a plan for responding - Consumers have the right to see their personal data (typically within a month of request), have it changed and deleted and can demand restriction of further processing of such data, also withdrawing any prior consent to use it. In addition, customers must be told within 72 hours of a data breach.
- Allocate adequate budget, tools and resources - Not funding a serious GDPR compliance plan now might save money but not when compared to the cost of fines later. Most companies are training staff to help them understand what compliance means so that human error does not create a security breach unintentionally.
Shane Nolan, Senior VP Technology, Consumer & Business Services at IDA Ireland
Image Credit: Wright Studio / Shutterstock