Senior Manager of Internal Audit, Corporate Governance and Sarbanes Oxley Compliance
GDPR: What Change Will It Bring to the U.S.?
As the European Union (EU) has enacted the General Data Protection Regulation (GDPR), it is easy to perceive this regulation would apply to only multinational or European companies. GDPR will certainly impact businesses in EU; but it will extend its applicability for international businesses who obtain information about EU citizens.
What data does GDPR seek to protect?
GDPR is all about protection of consumer data, in other words personal data of consumers that businesses will collect in EU. This includes basic identifiable information such as name, address and ID numbers but expands it to include web data such as location, IP address, cookie data and RFID tags. Any other generic data such as health or biometrics, racial or ethnic data and political, religious beliefs, trade union membership, etc. are also considered as personal data.
EU regards protection of personal data as a fundamental right of its citizens. It had a data protection directive issued in 1995, which became outdated with the advancement in technology. Therefore, it has issued this comprehensive regulation.
When is it effective?
Compliance is expected to be in place by May 2018.
What makes GDPR unique?
Being a new regulation with extra territorial implications within the international trade, GDPR is expected to develop as it unfolds. Some of the key features are:
- The GDPR defines several roles such as data controller, data processor and the data protection officer that are responsible for ensuring compliance. Entities will have to designate these functions within its personnel.
- Right to be Forgotten is one of the key rights and organizations would have to enable their systems to allow users to opt for erasing their impressions within the system.
- Data portability is a recognized right for data subjects (i.e., EU citizens) to share information provided to one data processor to another.
- Privacy by design – data controllers will ensure only data necessary in performance of duties is retained. Systems need to be designed accordingly. Privacy is not an add on to a system, but system itself should recognize privacy.
- International law is expected to play a key role due to the extra territorial provisions of the regulation.
What happens if there is a breach?
Within 72 hours of becoming aware of a breach, the data controller is required to provide a notification to the data subject and to the corresponding Data Protection Authority (DPA) (each member country has their own DPA offices).
What is the impact of non-compliance?
The regulation has penalties for non-compliance. Maximum fines for under GDPR organizations in breach of GDPR can be up to 4% of annual global turnover or €20 Million (whichever is greater).
If you believe you collect personal data in your course of business, and that personal data would include EU citizens, you should have started your compliance program by now. The risk of non-compliance is not only from EU enforcement agencies, but also from consumers as EU citizens may prefer to buy goods and services from GDPR compliant businesses. U.S. companies not demonstrating compliance could be at a disadvantage. While compliance is not required, it’s equally important to demonstrate compliance or efforts towards compliance.
Do I have to start from scratch?
No. You may already have some privacy and confidentiality related policies in place. Begin with an understanding of where you are right now (through internal analysis) and where you need to be (through understanding of regulation). Simpler said than done, mobilize resources before consumers come asking. If you think you are not ready, take steps to prepare. Combining GDPR compliance with overall cybersecurity initiatives will bring in much needed efficiency. There are more data facts to protect because of GDPR and understanding where the critical data rests and is transported is fundamental to both GDPR and overall cybersecurity preparedness.
What should I do next?
Check and see if your organization has any cyber policies and procedures in place. Do those policies and procedures align to the compliance needs of GDPR? As mentioned, you may already have the required elements in place but need to enhance some areas. If you need guidance on ensuring compliance or need additional assistance, Withum’s Cyber Secure team can assist your organization to comply.