U.S. Businesses and the General Data Protection Regulation
By Greg Sparrow, SVP/GM, CompliancePoint
The General Data Protection Regulation (GDPR) is a European Union based regulation that requires businesses to protect the personal data and the privacy of any European Union (EU) natural persons when transactions occur within EU states. Data protected under the GDPR includes identifiable information (names, addresses, dates of births), web-based data, health and genetic data, and biometric data. These bylaws were officially enforceable as of May 25, 2018 and apply to all businesses interacting and performing marketing tasks to EU data subjects. The GDPR is based on the precedent that private information always is, or should be; private and that, individuals have rights surrounding that data. The exact words according to the GDPR are that “data protection is a fundamental right.”
Despite a two-year grace window that companies were allotted to prepare for GDPR compliance when the regulation was first approved in 2016, a recent survey study titled “GDPR Readiness Survey” shows that very few are 100 prcent compliant. The survey found that only 29 percent of the participants were actually aware of the GDPR, 44 percent said they were somewhat aware, and 29 percent said they were completely unaware. The survey also found that only 24 percent of businesses felt that they were prepared for the GDPR, and 31 percent felt they were somewhat prepared. This is compared to the 36 percent of business that said they did not feel prepared, and another 9 percent that said they were unsure. These numbers seem to be alarming simply due to the fact that one infraction can cost a non-compliant business millions in revenue. It can be assumed that companies who are not fully aware or fully prepared face enormous risk when working with any customers who may be based in the EU.
Furthermore, the GDPR Readiness survey also found that 45.6 percent of businesses reported that they have not become compliant because they are waiting to see what enforcement comes from the regulation. However, as more companies see initial fines, this number will likely drop. The GDPR notes that, under certain circumstances, it is a requirement for companies practicing business in the EU to hire a Data Protection Officer (DPO) to ensure compliance with the regulation. The DPO serves to be responsible for informing and advising organizations of their obligations under the regulation, monitoring compliance with the regulation, responding to requests from data subjects, and cooperating with the supervisory authorities, including reporting breaches that result in risk to those affected within 72 hours as required by the GDPR. When a DPO is required, appointing someone to this position will be just a small aspect those 45.6 percent of businesses will need to accomplish to become compliant with the requirements under the GDPR.
According to the GDPR website itself, fines administered for non-compliance and the amounts levied depend on 10 key criteria: the nature of infringement, intention, mitigation, preventative measures, history of violations, level of cooperation with the supervisory authorities, data types, notification, data protection certifications, and other. Infractions that are considered “lower level” violations, such as not having data records in order, failing to notify the supervisory authority and data subject about a breach, or not conducting privacy impact assessments, are subject to up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher. Infractions that are considered “upper level” violations, such as violations of basic principles related to data security and conditions for consumer consent, violations of data subject rights, and transfers of personal data to third parties or international organizations that do not ensure an adequate level of data protection, are subject to up to €20 million penalty, or 4 percent of the worldwide annual revenue, whichever is higher.
In addition to the above findings, 39.7 percent of businesses responded that they lack regulatory understanding, which is holding them back from working towards meeting the data protection standards. The EU has yet to issue an official assessment criteria and thus increases difficulty for businesses to implement a solution when there is no telling how regulators will officially evaluate them. In the same survey, 36.8 percent of businesses said their lack of budget was a factor in compliance failure, while another 33.8 percent noted low brand visibility, concluding they feel safer as a small company that may not be targeted as easily. Additionally, 27.9 percent of businesses said they were unconcerned with being GDPR compliant. Respondents did not report whether they were unconcerned due to lack of understanding, lack of threat, or lack of business presence in the EU.
The topic of data privacy and protection is not a new one for those living within the EU. The GDPR actually replaces a similar directive that was put into effect in 1995 when the internet was gaining tremendous attention while increasing further in its consumer usability. Since then, the way that web giants such as Google and Amazon utilize their customers data has become so complex in nature that customers often times don’t realize what personal information has been stored. The GDPR differs from privacy regulations in the United States as the American approach to information privacy is comprehensive in nature.
For example, a hospital will store different information than a retail organization, and a retail organization will store different information than an online marketplace. The U.S. holds certain privacy protection acts and standards as implemented by HIPAA, PCI DSS, and other smaller bits of privacy; however, the GDPR keeps the issue or privacy extremely simple. It doesn’t matter if the data is regarding credit information, healthcare records, or simply an online social profile – it is all protected the same. Of the respondents polled in the GDPR survey, nearly half (48.5 percent) with knowledge of the GDPR said that the requirement they anticipated being the most challenging was maintaining records of processing followed by 39.7 percent that said consent would be the most challenging.
Supported by data collected from the U.S. Small Business Administration (SBA), the GDPR may certainly pose direct risks to U.S. businesses. According to the SBA, 98 percent of business export goods internationally, putting them within the jurisdiction of the GDPR. The first steps any company must consider to mitigate their exposure to fines or risk includes understanding the regulations and how data is used within the organization. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for processing of personal data. Using the trusted counsel of a compliance firm can help organizations to quickly identify both industry and organizational risk that, as a non-biased third-party, are often otherwise overlooked. A risk management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to mitigate this risk and set up ongoing monitoring programs to maintain valuable records of compliance.
To adequately become compliant with the GDPR and similar regulations, businesses must become educated on these regulations and determine how to conquer the requirements. Applicable data protection processes and procedures can help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and earn their trust.