Blog Post

What US Businesses Need To Know About the GDPR Law

Excerpt: EU’s GDPR law will go into effect in May 2018 and will affect many US-based businesses. Here’s what you need to know and what to do to stay compliant.

 

If your organization processes any kind of personal data, you’ll need to assess how the EU’s GDPR law will affect your business.

Even for companies based in the United States, it’s very likely that they have clients or customers who are EU citizens — which means this law will affect many US corporations.

Image source: Host In Ireland

Here’s what you need to know about GDPR, and what you can do to stay compliant:

What Is the GDPR Law?

GDPR stands for “General Data Protection Regulation” — it’s a legal framework that provides guidelines to govern the collection and processing of personal information of individuals within the European Union (EU). This framework was adopted by the European Parliament in April, 2016 and businesses must comply by May, 2018.

The GDPR outlines the principles on how to manage personal data collected by businesses and the rights of the individual pertaining to such data collection.

This regulation not only affects companies based in the EU but also all businesses that deal with the data of EU citizens.

That means if you’re a US-based company doing businesses with EU citizens, you’re required to comply with the GDPR by May 25, 2018, or risk being fined up to 20million euro’s or 4 percent of global turnover for the previous year.

Even though the UK is leaving the EU, the current Brexit plan intends to keep the GDPR in effect in the UK.

Image source: LinkedIn Pulse, George Lynch

What Does the GDPR Entail?

The GDPR requires businesses to obtain explicit consent for the collection and usage of personal data, notify all EU citizens in the event of a hack or a breach, and appoint data protection officers to oversee data security.

It has a particularly significant impact on financial institutions, which will need to invest in compliance to ensure their continual access to the EU market.

GDPR’s Impact On Data Collection

The GDPR will hit the financial, lending, insurance, and other similar industries the hardest since they need to collect sensitive personal data out of necessity.

However, more businesses than you’d expect will be affected.

For instance, the rule applies to the human resources records of any businesses with employees in the EU and even EU-based IP addresses of people using online services.

The GDPR is essentially an extension of the data rights that the EU has been pushing for, such as the right to data portability and the right to be forgotten.

As GDPR comes into effect, it’ll encourage companies to minimize the information they collect from employees and customers to the functional essentials, just enough to complete a transaction.

What Your Business Needs To Stay Compliant With the GDPR Law

Now is the time to invest in bringing your data collection, monitoring, and security policies up to speed, so you can stay compliant and continue doing business in the EU.

1. Know Your Data

Be mindful about the data you collect, why you’re collecting it, who is responsible, how it’s stored, and what level of security and encryption is used to protect it.

If your business is collecting data that is non-essential to servicing your customers, you may want to reconsider if you should continue collecting the information.

2. Enforce Encryption

Proper encryption protects data by making it useless to hackers in the event of a data breach.

Install SSL to keep sensitive information encrypted when it’s sent across the Internet, and use proven technologies that comply with industry standards (e.g. Triple DES, RSA, AES) to ensure safe the transit and storage of data.

3. Pseudonymize Personally Identifiable Information (PII) For Data Analysis

Pseudonymize PII prior to processing such personal information offers another layer of security as the data cannot be tracked back to a particular individual.

Pseudonymization of data allows businesses to take advantage of Big Data and do some larger scale data analysis while staying compliant with the GDPR law.

4. Get Executive Management Involved

Deploying changes in your data storage, monitoring, management, and security systems can be a significant undertaking in terms of human and financial resources.

It’s critical to communicate the ramification of non-compliance and get the support from the highest level in your organization to ensure successful implementation of the changes required.

5. Appoint a Project Owner

Staying compliant with not only the GDPR but also other laws and regulations governing digital data security and usage is not something your IT guy can just take care of in his spare time.

To ensure that your business is compliant with all the laws and regulations now and in the future, consider appointing a Data Protection Officer, Chief Data Officer or equivalent. You can also hire an external partner to assist with GDPR compliance.

6. Review Data Security With Cloud Vendors

As more businesses are using cloud computing to handle customer information, it’s imperative that you conduct an audit of all your vendors’ existing systems, procedures, and contracts. Take inventory of the kind of customers data they’re handling and storing on your behalf.

Remember, your organization will be held responsible for meeting the GDPR requirements, so if a vendor is not compliant and don’t have a plan to do so, you’ll need to take the appropriate action.

7. Foster a Security-Aware Culture

Human errors are often responsible for data and security breaches. It doesn’t matter that your business follows the strictest security protocol — just one error made by one uninformed personnel could lead to irreparable damages.

Make sure all your employees and contractors receive proper training on IT security and the handling of customer information.

8. Have a Response Plan

Cyber security is a moving target and no system is 100% bulletproof. You need an incidence response plan in place to make sure that in the case of a data breach, you can recover as quickly as possible.

Under the GDPR law, in the event of a data breach, you’re required to alert the supervisory authority within 72 hours. If any unencrypted data has been stolen, you’ll also need to notify those whose data have been compromised.

9. Check Cross-Border Data Flows

If you’re transferring data from within the 28 EU member states, the other 11 countries in the European Commission, as well as Norway, Iceland, and Liechtenstein to a location outside of these countries — make sure you follow appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses.

It’s Not All Doom-And-Gloom

Implementing compliance to the GDPR can be intimidating, but it’s also an opportunity to ensure that the level of security and protection your organization has in place is fit for this new digital era.

Doing so will not only help you stay within the law but also build trust with your customers as they’re expecting the companies they do business with to protect their privacy.