Does Your Business Need to Comply with GDPR?

The requirements of the European Union´s General Data Protection Regulation (GDPR) for US companies who collect, maintain or process EU Citizen personal data will be significant and compliance is not an option. When GDPR takes effect on May 25, 2018, the European Commission will enforce the regulation around the world through administration of major fines.

The purpose of the regulation is to give EU citizens more control over how their personnel data is collected and how it is used and maintained.  It is essentially Europe’s new framework for data protection laws. The implementation of GDPR will have the most impact on US companies that have not yet appropriately managed privacy data through existing compliance regimes such as FISMA or HIPAA.  You will need to have a complete inventory of all privacy data and also identify any subcontractors or partner that access privacy data on your behalf and ensure they are GDPR compliant as well.

But you’re reading this and saying, “Why does this affect me? We are a U.S based on company!”  The key is to analyze your organization.  Do you sell your products or services overseas?  Do you want to in the future? Do you send any data or transactions overseas?  You want to make sure you know the answer as the penalties for non-compliance are severe and even more severe is the impact it can have on your business reputation if you are fined.  I’m sure the first companies fined will make big news!  That is publicity nobody wants.  Another factor is whether you are already required to comply with EU-US Privacy Shield.  If so, you will definitely need to comply with GDPR as it has a much larger scope than the Privacy Shield.

Here are four examples of when a US based company must comply:

  • If you maintain a public-facing web site that is marketed to EU citizens and collects cookies;
  • Your organization maintains HR data on EU residents;
  • University that recruits EU student citizens and the admissions office collects personnel data;
  • You market products and services to the UK! Until Brexit is complete GDPR applies to you as well.

The following are key areas that should be looked at when considering GDPR compliance:

  • Understand your data. Build a Privacy Data inventory and know where it is all stored and with whom is it shared.  Make sure you are not still storing old data from a project that is no longer active.  Regardless of retention policies, if you are not using the data, dispose of it and document it with a destruction certificate.  When you have a handle on the data that you need, keep this inventory current.  Also minimize duplication and limit access using least privilege.  Also understand what data is maintained by all subcontractors/partners.  If they are lax about complying then find new teammates.  Your business could be at stake!
  • For companies that have more than 250 employees, there’s a requirement to have documentation of why people’s information is being collected and processed, descriptions of the information being held, retention policy and descriptions of technical security measures in place.
  • Assign a Data Protection Officer. If you comply with HIPAA or FISMA then you likely have a privacy officer.  The responsibilities are similar but you want to have one person who is responsible for filling this role.
  • Have a good Incident Response Process. When a data breach does occur, your company must report the event to the right data protection authority within 72 hours of the event. If your current policy is not as strict you will need to update your policies. Be prepared and make sure your policies and procedures are current and tested.  Also provide annual Incident Response Training.
  • You will need to know whether you are a data processor or a data controller or both and the answer will have different implications regarding compliance. A data controller determines the purposes and mechanisms for how customer data is processed. A data processor stores, modifies or deletes personal data on behalf of a controller.
  • You will need to revisit your current customer consent forms to comply with GDPR. GDPR gives individuals a lot more power to access the information that’s held about them. You must allow your customers to select whether they want their data used and give them the option to opt out and make sure you maintain this data so there are no mistakes.
  • Not just about the customers: Employee Data (if you have overseas employees) will need to be compliant and training is required for all staff.

Your whole organization will need to remain aware of the implications of GDPR and maintain compliance.    There are some great resources that have been published on the regulation. Here’s where to go if you’re looking for more in-depth reading:

– The full regulation. It’s 88 pages long and has 99 articles!  (Have fun!)

– The ICO’s guide to GDPR –