May 25th will be a critical day across the globe as the General Data Protection Regulation or GDPR officially goes into effect. As we touched on in our previous article, the GDPR is European Union legislation that will enforce more stringent regulations on how business collect, process, and store the data of European citizens. But any business-in any country-that handles the data of European Union citizens will need to comply. Many businesses in the U.S. are either unaware or woefully unprepared for this, and that’s where we want to help. While many big-name firms are announcing their compliance including Facebook, Microsoft, Google and others, smaller firms like yours need to consider what to do as well. Here are three steps your U.S.-based company might need to take to become GDPR-compliant.
1. Start Reviewing Processes To Ensure Compliance
The GDPR is a set of rules that are intended to better regulate how businesses handle the personal information of European citizens. The full text is available here, but as you’ll see when you get to step three, you probably want legal advice to help you fully understand potential implications of the legislation on your business. One step you can take first, though, is to start reviewing your processes to see how they align with the main principles of GDPR, which will require you to:
- Be more transparent about where and how people’s data is collected and used.
- Take reasonable measures to keep personal data secure.
- Offer people choices to “opt out” of data collection altogether and access or update their data.
- Take accountability if you use someone’s data incorrectly and take the proper action if there is a data breach. (Under the GDPR companies have a 72-hour reporting window to report a breach.)
- Notify customers of your compliance with GDPR.
Identify how stringent your current processes are for data collection, processing, and storage in relation to the GDPR by asking yourself:
- Do you give people the choice to opt out of data collection?
- Can people access their data or make corrections?
- Do you let people know how their data will or will not be used once you collect it? Do you stick to that promise?
- Do you currently have a protocol in place to report breaches within 72 hours?
This initial inventory phase can help you get an overall understanding of how stringent your current data security policies are and how they’ll potentially need to be changed to achieve GDPR compliance.
While the EU has had strict regulations on how businesses can handle people’s private information for years (the current Data Protection Directive, which the GDPR will replace soon, is already stricter than U.S. policies) the U.S. has not had regulations in place that were as stringent. Because of this, the EU has wanted the U.S. to have clearer ways for citizens to file complaints about improper data usage. Privacy Shield contains different “dispute resolution mechanisms” including an arbitration panel and an Ombudsperson at the U.S. Dept. of State to handle their claims.
3. Seek Legal Advice
Beyond a basic understanding of the overall meaning of GDPR and Privacy Shield, your company will need to involve your lawyer or legal team if you haven’t already to ensure you are ready for GDPR compliance. Yes, legal advice can come at a cost, but not fully complying with GDPR could be even more expensive. If you fail to comply, your company could be fined up to $20 million Euros or 4% of its global annual turnover, whichever is greater. You may also be reprimanded via corrective orders, which will tarnish your company’s global reputation. You can consult your own legal team or hire someone short-term to help ensure that your company is 100% GDPR-compliant and ready for the future.
Disclaimer: This article and the information herein is provided “as is” without any warranty expressed or implied. This article does NOT constitute legal advice. Crelate makes no claims that the information in this article is either complete or accurate. Crelate does not provide legal advice, and customers should consult with their legal professional to determine their responsibilities under the GDPR.