Are you Ready for the EU GDPR? What Companies Outside the European Union Need to Know
Typically, a law is not applicable beyond the borders of its nation of origin. For example, The Health Insurance Portability and Accountability Act (HIPAA) and The Gramm-Leach-Bliley Act (GLBA) are limited to the scope of the United States. Likewise, the laws set forth by the Canadian Privacy Commission do not protect those outside of Canada. However, there is soon to be an exception to the rule with the enactment of the European Union General Data Protection Regulation (EU GDPR).
If your company operates outside the EU, you may be unsure exactly how the GDPR will impact your business. In fact, you may not even realize that these new data protection requirements will impact your business at all. The truth of the matter is that it is time to start paying attention to the EU GDPR—no matter where in the world you conduct business—because it will affect everyone, and the consequences of non-compliance are severe.
EU GDPR 101
In today’s digital age, people are sharing a prolific amount of personal information through the Internet, social media, mobile applications and cloud computing systems, making it more and more difficult for individuals to control where, when and how their data is processed. To better protect citizens’ personal information and simplify business rules for the companies that handle this data, the European Commission proposed the GDPR back in 2012. The regulation will officially take effect on May 25, 2018, replacing the previous data protection regulation, Directive 95/46/EC, which came before the dot-com boom and the Internet privacy concerns that followed.
In actuality, the GDPR extends beyond the EU and to any company that processes the data of individual EU citizens
Once enacted, the GDPR will bring about a number of changes–stricter requirements for obtaining consent when collecting data; the need to alert the relevant supervisory authority of data breaches within 72 hours of occurrence; and the “right to be forgotten,” in which data subjects can request the deletion of personal information that is no longer serving its original purpose. While these are just a few of the changes the regulation will set forth, the ultimate goal is clear: to create a consistent framework for data protection across the EU. This is of prime importance, as more than 90 percent of Europeans say they want the same data protection rights regardless of where the data is processed, according to the European Commission.
Let’s go back to the phrase, “regardless of where the data is processed.” In actuality, the GDPR extends beyond the EU and to any company that processes the data of individual EU citizens. So, if you are a U.S.-based company, and you hold or process data pertaining to EU citizens, you must comply with the GDPR. And, the GDPR is a mandatory, not voluntary, guideline. Therefore, the penalties for non-compliance are especially stringent and include the right for EU citizens to sue as a class. Furthermore, the EU estimates that businesses who do not comply with the GDPR face fines up to 4 percent of the company’s global revenue. That is a huge ramification, especially for larger corporations.
Is a Single International Regulation Framework Possible?
A look at the history books shows little evidence of the broad use of data security standards in an enterprise’s everyday operations. The International Organizations for Standardization (ISO), or the Payment Card Industry Standards, including the Payment Card Industry Data Security Standard (PCI DSS), come to mind, but they greatly differ from the GDPR. ISO standards are completely voluntary, and are intended to help companies access new markets, level the playing field across countries, and facilitate fair global trade. Similarly, PCI DSS are self-regulatory industry standards, not a law. Because the protections the GDPR provides will follow EU citizens wherever they reside, it is believed to be one of the first truly international data protection frameworks.
Another glance at the past shows that complying with widespread regulations like PCI DSS has not been without challenges. In an attempt to reduce complexity, many organizations opt to run their compliance programs by simply checking a box for each requirement before moving onto the next standard’s requirement. Often, the system changes designed to meet the second standard create data security issues with the first. Governance, Risk Management and Compliance (GRC) software can only go so far in preventing these situations and making sure each requirement is met. It also does not consolidate and publish requirements in a single, convenient place.
Embracing–and Bracing—for the GDPR
It may seem unfeasible that a single international set of standards could exist that meets all data security needs and simplifies the regulatory environment, but the GDPR is a step in this direction. Although there are bound to be some hiccups along the way, the GDPR signifies a positive move toward defining a specific data privacy goal for citizens all over the world. The regulation will also help standardize the processes and requirements that businesses must follow to bring this goal to fruition.
As we continue to embrace technologies that inherently present new data security and privacy concerns, we must also embrace the need for a global standard to protect personal information. The GDPR holds promise for establishing the foundation on which businesses protect sensitive data in a unified matter. While the enactment of the GDPR is still over a year away, companies across the globe should already be considering its implications. Taking the time to understand the pending requirements will help you minimize risk and ensure the security of your customers’ and your employee’s most personal data, now and in the future.