Why GDPR -EU’s New Privacy Law- Matters to American Companies

In the wake of the Cambridge Analytica hack of Facebook, Americans are becoming more concerned about their data. While we await the fallout in terms of regulation here in the USA, companies should be aware that Europe’s General Data Protection Regulation (GDPR) is fast approaching on May 25, 2018. GDPR outlines specific guidelines for handling EU data. Think it’s a European problem and does not apply to your company? Think again. GDPR will affect any company that collects or monitors data on an individual in the EU.

Why should I care if I don’t have EU customers?

If you transfer any data across borders to Europe, you will care about the GDPR. For many US companies, GDPR may not be an issue, but it may represent a set of best practices to follow as our Congress and regulators prepare for regulation. For example, if you collect a consumer’s email from a sweepstakes entry but then use it for email marketing down the road, that could be problematic in the EU after GDRP takes effect. What does that mean for your American customers? Applying GDRP’s ideals to your USA marketing plans and data collection can help you to avoid problems if and when there is a data breach of your American customers’ data. And to the extent that you are struggling to keep up with 50 states’ laws in the USA, trusted legal advisors and data security team can help you to find the highest common denominator.

What kind of data does the GDPR cover?

The GDPR is the EU’s new privacy regulation that seeks to protect individuals’ data. The data covered ranges from basic personally identifiable information (name, address, email, etc.) (“PII”) to even more personal PII (medical data, bank details, social media information, etc.). The GDPR further prevents the collection of political opinions, health status, race, and other sensitive PII without explicit consent from the individual. The GDPR applies not only to advertisers but also to search engine companies, credit card companies, shipping companies, etc. who are tracking your searches and data on your preferences with every search and purchase you make on the Internet.

What is in the GDPR for EU consumers?

The GDPR establishes a “Bill of Rights” for individuals. It asserts that individuals have a right to be informed about what data a company is collecting and why they are collecting it. They also have the right to object and to ask a company to erase their PII, cease distribution of the PII, and prevent third party partners from using the PII. Individuals can also demand corrections to inaccurate PII.

What does the GDPR require broadly?

The GDPR requires strict data protection and data breach notification. Organizations that collect large amounts of PII from EU citizens or regularly monitor EU consumers’ activities must appoint a data protection officer who regularly communications with other c-suite individuals. It also requires companies to comply with requests to erase personal data and to notify customers promptly of data breaches.

What are penalties for non-compliance?

The GDPR has large penalties for non-compliance. Fines may range from 2% to 4% of a company’s annual global revenue or 20 million Euros, whichever is greater, depending on the facts of a given case.

What should companies do now?

• First, determine if you are collecting data from EU customers. Are you actively marketing to EU consumers? Do you have email addresses or IP addresses in your possession from EU locations? If it is just a small number, can you easily segregate those and avoid marketing to them until you have a plan in place?
• Second, do an inventory of the kind of PII you are collecting. Identify risk depending on the type of PII you have and what kind of consent you have obtained to collect it. Also determine how you store the PII, and how you or your partners use the PII.
• Third, review your privacy policies and data governance policies to ensure the safe handling of PII. Look closely at who has access within your organization and outside your organization. Set up protocols for data management and for a data breach.
• Fourth, ensure you are using encryption, pseudonymization, and anonymization, the three techniques for data protection enumerated in the GDPR. As you review the PII you have, retain only what you need. Really question why you need data before you decide to keep it or collect it in the future.
• Fifth, set up procedures to audit and monitor. Just as in the United States, showing a regulator that you have practical procedures in place that catch problems can be persuasive in the event of a data breach. Your auditing plan should continue to ensure that the least number of people have access to PII and that the PII controls remain strong throughout your systems.
• Sixth, prepare for a data breach. It will happen. You should have an incident response plan that you have tested and can implement immediately. If there’s a breach, you should know how to determine what data was exposed, how to find the point of breach, who you need to notify and when.

Are you ready for GDPR? Do you want to know more? Contact me here.