This article was originally published on Born2Invest.
U.S. companies thrive on customer information, but a major regulatory change abroad will have significant implications for data-gathering practices here. The General Data Protection Regulation (GDPR), to be enforced on May 25, 2018, places a standard set of data protection laws across all European Union countries and covers the personal information of EU citizens. Any U.S. company preparing to access or use that personal information is subject to the regulation as well, meaning this regulation certainly can’t be ignored.
The regulation looks to ensure consistency in the way organisations handle customer information, increase visibility for consumers on how their data is being used, and update outdated data protection legislation to reflect digital progression. GDPR largely focuses on allowing consumers to know and control how their data is used, particularly for marketing purposes.
Any business that processes data from EU citizens must adhere to the GDPR regardless of the business’s location or where the data is processed. Violations come with a hefty price tag: According to a 2018 Fortune article, offenders can see fines of up to €20 million or 4 percent of worldwide annual revenue, if not higher. So American brands wanting to advertise to consumers in the EU must first understand—and ultimately comply with—the GDPR.
What’s covered in the GDPR?
For some companies, the GDPR may be an extension of current data privacy practices; for others, it may require a complete overhaul. The GDPR stipulates that companies must report security breaches. American businesses should already be prepared to report breaches to comply with state and federal regulations, but be aware that European authorities must be notified within 72 hours of any breaches concerning EU citizens. If this timeline isn’t standard procedure for your company, create a plan that ensures your cybersecurity team can respond more quickly.
The more significant changes of the GDPR involve consumers’ rights to their information. EU citizens will need to have more insight into (and more say about) how their information will be used. Terms regarding customer information must be clearer, and companies must obtain consent for each term. Additionally, consumers must have electronic access to records regarding the information a company has gathered on them. These consumers then have the right to make changes or request that data be deleted.
The GDPR goes further than current regulations in an effort to foster more trust between consumers and corporations. The GDPR is more comprehensive, allowing regulators to judge issues on a case-by-case basis. To keep your company aligned, it’s best to be diligent about assessing and updating your data privacy practices, leaving no room for errors.
How to prepare for the GDPR
If your company currently does—or plans to do—business with EU citizens, it’s time to re-evaluate how you’re handling customer information. Here are three areas to address:
1. Conduct a data protection impact assessment
To prepare for the GDPR, the best place to start is by identifying where your organisation is processing data from EU consumers as well as how you’re going about it. This assessment is meant to do just that, helping companies determine which processes and practices must change to comply.
This assessment should include an evaluation of the information your organisation processes, how it’s being processed, and the purpose of doing so. It should also examine the risks posed to those whose information you have as well as what steps your company is taking to safeguard against them. In the case of the GDPR, compare what you’re currently doing against the new requirements and identify steps to fix potential discrepancies.
2. Understand what third-party suppliers are doing
If you engage with third-party suppliers, you also need to investigate their data processing practices. If EU consumers are involved, your company could be held liable for any mistakes the supplier makes. This is particularly important when you consider that roughly 50 percent of companies are increasingly more reliant on third parties, according to Deloitte Global’s “Extended Enterprise Risk Management” survey, but less than a quarter of those businesses have adequate risk management in place for the extended enterprise.
Treat your assessment of your third-party supplier’s process like you would your own and suggest appropriate changes to ensure compliance.
3. Review your data protection policy
Every employee also plays a role in maintaining compliance. Your company likely has disciplinary action in place if employees violate data protection policies, but your team members must also understand that the consequences are more severe if their actions cause the company to violate the GDPR.
Make sure your employees not only understand the new protection laws but also understand why your policies and procedures are in place and what role they play in maintaining data protection. Help employees see their responsibility in the context of the bigger picture. It will better ensure that they value and uphold compliance.
While U.S. companies may think EU regulations have little relevance domestically, the GDPR applies to any organisation doing business with EU citizens. Beyond just incorporating these changes into your company’s practices, you should endeavor to stay on top of further updates and changes. For example, at Acceleration Partners, we follow and participate in the International Advertising Bureau UK and the Information Commissioner’s Office to ensure our company (and our industry) is prepared. With some preparation, complying with the GDPR won’t seem so daunting.