If you have customers in the European Union then you need to be fully aware of GDPR and prepared for its introduction later this year.
General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, all companies including international firms—doing business with individuals located in EU member nation territory must comply with the law’s far-reaching provisions.
Companies are not exempt from the GDPR just because they don’t have offices in the EU region or don’t process data in an EU member state: Failure to prepare for the regulation could have serious consequences to a company’s bottom line – businesses will face staggering fines from the regulators of up to 4 per cent of global annual turnover or €20m ($23.75m), whichever is greater. Together with the associated negative impact on customer relationships and brand reputation.
The GDPR regulation becomes enforceable from 25 May 2018 after a two-year transition period and, unlike an EU directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. Brexit wont exempt UK companies, the new regulations will be integrated into UK law after Brexit, in a new data protection bill.
The volume of data that is being collected and stored every year is astronomic and growing. IDC forecasts that by 2025 the Global Datasphere will reach 163 trillion gigabytes, ten times more than in 2016.
What will change for US companies who have customers in the EU?
Under GDPR, companies will have to document all the “personal data” they store, so they can either hand it over or delete it on request. There has been much discussion about what “personal” means, but GDPR will tighten the criteria:
Social media and other consumer-facing technology businesses say new consent rules will be extremely difficult to implement. Under GDPR, companies will no longer be allowed to hide behind what the EU calls “silence, pre-ticked boxes or inactivity”, for the most part companies remain reluctant to alarm their users with warnings about data use.
The GDPR aims to protect individuals and their personal data through unified, modernized standards, and a set of meaningful rights for individuals. Some of the key GDPR obligations include:
- Condition for consent, mandating that organizations obtain explicit consent to gather information from individuals (known as data subjects) – and be able to prove that they have done so. Consent is limited to specific purposes, and data subjects have the right to withdraw consent at any time.
- Right to access and obtain data, allowing data subjects to request access to information held about them, and to learn how their personal data is accessed, the purpose of the access, where it is being accessed, what categories of data are being accessed and who has access.
- Right to erasure, giving data subjects the right to request the deletion of personal data if they do not wish to allow its use.
- Right to rectification and objection to profiling, granting data subjects the right to request corrections in personal data if it is inaccurate and allowing them to object to profiling that may result in discrimination against them.
Next Steps
If you haven’t already done so, your organisation needs to conduct a GDPR readiness assessment. A quick Google search will reveal a good number of organizations willing to help you with that, from IBM down to your local IT consulting firm.
If that sounds like jumping in at the deep end, Microsoft offers a GDPR Assessment via a quick, online self-evaluation tool (26 questions) available at no cost, to help your organization review its overall level of readiness to comply with the GDPR. Link to online assessment.
Brand reputation and customer relationships. Engage with your PR and marketing comms. agency to develop a communications program designed to reassure customers, employees, suppliers and investors that you are addressing GDPR. Silence might imply ignorance of GDPR and as you now know the financial consequences to an organization of ignorance could be disastrous even fatal. An effective communications program will help ensure that dark GDPR thoughts and the associated risk aren’t entering into the minds of your stakeholders.
Resources:
- The full regulation. It’s 88 pages long and has 99 articles.
- The ICO’s guide to GDPR is essential for both consumers and those working within businesses.
- EU GDPR is the Union’s official website for the regulation. It details all you need to know and has a handy countdown clock for when GDPR will come into force.
- The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.