10 Things You Need to Know About GDPR Compliance Requirements
On May 25, 2018, the General Data Protection Regulation (GDPR) — arguably the most robust data privacy law in history — will become fully enforceable.
The GDPR will significantly strengthen the protection of personal data of European Union (EU) citizens by increasing the obligations of organizations that collect or process it. Failure to meet compliance requirements could result in massive penalties, potentially totaling €20 million (approximately $24 million) or 4% of a company’s global annual revenue (whichever is greater). But there’s still a lot of confusion about what this actually means for business.
Here are the top 10 things you need to know.
1. It doesn’t matter if you’re based in the U.S.
If you’re a U.S.-based business, don’t make the mistake of believing the GDPR doesn’t apply to you. The only requirement for compliance is that you have access to the personal information of any individual residing in the EU.
For instance, let’s say ABC Company is a Philadelphia-based organization with a monthly email newsletter that reaches several subscribers in Germany. The company’s physical location doesn’t matter, but the fact that ABC has access to EU citizens’ personal information (in this case, email addresses) does.
2. Brexit won’t affect compliance.
In 2016, British voters passed a referendum to leave the EU (“Brexit”); however, the country won’t officially withdraw until March 2019. That means U.K. citizens are still considered residents of the EU until 2019, and their personal data is protected under the GDPR.
The U.K. government has stated that due to strong voter support for stricter data privacy laws, it will most likely pass its own legislation that largely mirrors the GDPR. So, even if the U.K. is the only European country from which you collect or process data, you still need to be fully compliant by the deadline.
3. Personal data may include more than you think.
The goal of the GDPR is to safeguard the “right to the protection of personal data,” but what qualifies as personal data? The official text defines it as “any information … that can be used to directly or indirectly identify the person.” The definition goes on to state this can include “anything from a name, a photo, an email address, bank details, posts on social media websites, medical information or a computer IP address.”
Take ABC Company from the previous example, with its email newsletter that reaches several people in Germany. Just the fact that it has access to these email addresses is enough to require compliance with the GDPR.
4. Article 29 is a valuable resource.
As you work toward compliance, information around the Article 29 Working Party will be the most beneficial. Whereas the text of the GDPR details the compliance requirements, the Article 29 Working Party lays out guidelines as to how you can actually achieve those requirements. The Article 29 Working Party updates its website as new information about or changes to the regulation become official.
5. Changes are inevitable.
Since it originated in 2016, the Article 29 Working Party and various government entities have been issuing guidance on GDPR compliance. It’s likely these clarifications will continue right up to the effective date. Lisanne Steinheiser, global compliance officer at Insight, advises keeping a close eye on the Article 29 Working Party site to see how the changes affect your compliance targets.
6. Governance should come first.
On your journey toward compliance, carefully consider the people within your organization who will tackle this project. Bret Wingert, vice president of operations at Insight, has been working on Insight’s compliance process since early 2017. He recommends including teammates across your business, from lawyers to marketers.
He also advises creating not only a cross-departmental team, but a cross-regional one. Speaking about Insight’s compliance team, he says, “Since the company as a whole is ultimately liable, we felt that it was important that it was a very global team.”
7. Legal involvement is paramount.
Steinheiser strongly urges including regular communication with legal counsel as you work toward compliance. “To be honest, the first thing organizations should do is speak to counsel,” she says. “There are even firms now in the EU that specialize in compliance.” Whether you use your internal legal team, an external firm or a combination of the two, be sure to consult them at every stage of the journey.
8. Data breach preparation is a must.
The last five years have seen a major influx in security breaches and stolen information. The fact that many companies decline to report breaches to the affected individuals has left global consumers feeling like they can’t trust organizations to protect their personal data.
This mistrust led to the inclusion of a specific article in the GDPR that addresses the need for timely breach reporting. Although the section is fairly short, it poses one of the biggest logistical barriers to compliance.
According to the article, a ”controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” Individual data subjects must also be notified “without undue delay” if the breach ”is likely to result in a high risk to the [their] rights and freedoms.”
With these strict time constraints, it’s essential to create a detailed plan of how your organization will handle a breach. Establish who will notify your advisory board and how, who will compile a list of data subjects to notify, and who will notify these individuals and how.
9. History matters.
Many industry leaders in the U.S. have criticized the GDPR for being too broad, too strict and too invasive for businesses. It’s important to understand that after World War II, many country governments, especially those in Europe, realized the need to protect citiizens’ personal data to avoid repeating harms of the past.
In 1948, the United Nations’ Universal Declaration of Human Rights stated it’s everyone’s right not to “be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.” In 1990, the U.N. further extended this right to personal data.
Since the EU’s inception in 1993, the protection of personal data of its citizens has been recognized as a fundamental right. In 1995, the EU passed Directive 95/46/EC, which regulated how personal information could be collected and used in the EU. But as the internet grew in scope and popularity, EU citizens began to demand more direct control over the process. As a result, the previous directive was replaced in 2016 by the General Data Protection Regulation, significantly strengthening citizens’ right to data protection.
10. Similar laws are likely in the future.
Historically, EU citizens may have cared the most about protecting their information, but they’re no longer the only ones demanding this. As shown in Figure 1, American citizens are also concerned about personal data privacy: 58% believe every internet user should think about their data, and 46% feel many internet companies exploit their position to collect data. More than a third (37%) said they take proactive measures regarding data protection.
As personal data becomes easier to collect and the number of data breaches rises, individuals are more concerned about who has access to their information and why. Consumers today expect transparency from global businesses, especially when it involves their personal data. It’s highly likely this change in voter opinion will lead to more data privacy laws like the GDPR in the near future.
Concerns about meeting GDPR compliance by the deadline continue to abound. There’s been a lot of speculation regarding how strict the EU will be when it comes to fines. Will it demand €20 million on May 25 if your business is not 100% compliant? Will it make an example of one or two big businesses? Will it send out warnings at first? Many thought leaders believe the EU will be surprisingly lenient — as long as you’re working hard toward compliance.
Insight disclaims this as a full review on EU data privacy nor is it intended to be legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand some important legal points. You should not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding. Insight suggests you consult an attorney if you’d like advice on your interpretation of this information or its accuracy or its applicability to your business.