In May 2018, GDPR—General Data Protection Regulation—went into effect for all 28 member states of the European Union, plus Iceland, Liechtenstein, and Norway, turning the existing data protection and online privacy rights paradigm on its head.
These changes to data protection in Europe may seem irrelevant to smaller U.S. firms that do business close to home. Yet, in reality, GDPR’s requirements also affect many U.S. companies, who need to quickly get serious about data compliance.
So how can businesses ensure compliance while simultaneously protecting their own interests and security?
Here are six frequently asked questions to help your business navigate the process.
GDPR is, in short, a massive undertaking as well as a huge cultural and practical shift in the way data is handled—and how regulators are able to hold those who do so irresponsibly accountable.
GDPR requires that companies:
- Get consent of subjects for data processing
- Anonymize collected data to protect privacy
- Handle transfer of data across borders safely
- Provide data breach notifications
And in the case of some companies, appoint a data protection officer (DPO) to oversee compliance with GDPR.
My Business is Based in the U.S. Why Should I Care?
GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the European Union or not. In other words, a U.S. based company may be subject to GDPR if its customers or employees are based in the countries it covers.
In all cases when working with personal data from GDPR circumscribed members, businesses must disclose how data is being collected and used.
This is a departure from business as usual in the United States.
Where Should My Company Start?
Begin with a complete audit on how all personal data is being moved and used. Next, revisit the ways data permissions—cookies, opt-in processes, etc.—are managed in your organization.
Remember, data typically passes through different hands, servers and vendors in every organization. As a result, you may have GDPR exposure that isn’t readily apparent, through a vendor that shares personal data.
Websites, in particular, bear a closer look. Is information being collected by virtue of merely visiting a site? GDPR regulations demand disclosure of cookies, for example. Are website visitors automatically enrolled for other functions they may not be aware of?
Err on the side of transparency and work with any relevant vendors to also become GDPR compliant to close the circle.
What About Data Breaches?
The impetus for GDPR came from numerous highly public data breaches of personal data at global corporations such as Marriott, Equifax and Yahoo. That said, protection of data is an almost universal concern at this point.
Even today’s small- to mid-sized businesses must be proactive. Some of the largest fines under GDPR are imposed on companies waiting too long to report—or failing to report altogether—data breaches. Suffering a data breach is challenging enough for a business. Disclose the data breach within 72 hours to the relevant supervisory authority to avoid compounding your problems.
EU companies can report a breach to any one of several Data Protection Agencies. U.S. companies, meanwhile, should contact the most relevant agency.
What Happens if My Company Doesn’t Comply?
Under the new rules, organizations can be fined up to 4% of annual global turnover for violating GDPR, or €20 million. There is, however, a tiered approach to fines. For example, a company can be fined 2% for not having its records in order, failing to notify the appropriate supervising authority and data subject about a breach, or not conducting an impact assessment. It’s important to note that these rules apply to both controllers and processors—meaning that ‘clouds’ are not exempt from GDPR enforcement.
The EU is already imposing real penalties against companies that flaunt data privacy regulations. Case in point: British Airways and Marriott hotels were hit in May 2018 with fines of approximately $225 million and $122 million respectively. And in January 2019, the French national data collection commission slapped Google with a $57 million fine for lack of transparency and non-compliance with GDPR.
These fines should serve as cautionary tales for more modest businesses operating in similar spaces with considerably fewer resources.
Where Can I Find Help for My Organization?
If an organization is a public authority or engages in large-scale systematic monitoring/processing of sensitive personal data of GDPR-protected countries, a data protection officer (DPO) is often a required hire. But even U.S. businesses with potential GDPR exposure may consider hiring or grooming a DPO to protect their interests and remain in compliance.
If the details of GDPR compliance seem daunting for your business, don’t fret: There are many resources—from consultants to online guides, and beyond—at your disposal. One great place to start your GDPR journey is at the website of the International Association of Privacy Professionals, where you can find a consultant, certification and training resources for you and/or your team, and conferences on related topics.
Fifth Third Bank, National Association does not provide tax or legal advice. Please consult your tax adviser or attorney before making any decisions or taking any action based on this information. This information is provided for educational purposes only and does not constitute the rendering of tax or legal advice.