When the deadline for compliance with the European Union’s (EU) General Data Protection Regulation passes on May 25, 2018, some US companies invariably won’t be in compliance. This lack of compliance with the new regulation that requires all companies doing business in the EU to demonstrate stringent policies for protecting EU residents’ data will affecton-compliant GDPR businesses face a potential 4% fine of global revenues, according to PwC.
PwC’s comprehensive survey of businesses’ preparation for GDPR compliance showed that most are spending between $1 million and $10 million in their efforts to be in sync with the regulation. These resources are being spent on such initiatives as Privacy Shield and binding corporate rules, as well as model contracts for EU cross-border compliance. Companies also are centralizing data centers in Europe and de-identifying European data to reduce their GDPR risk exposure.
Businesses affected by the GDPR specifically include:
- All companies that do business in the EU
- Companies that process the data of EU residents with more than 250 employees
- Companies with less than 250 employees whose data processing rights impact the rights and freedoms of data subjects on a more than occasional basis, and include certain types of sensitive personal data
The type of identity information the GDPR requires businesses to protect includes:
- Name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation.
In order to comply with the GDPR, companies are also responsible for making sure that their data management vendors are in compliance because the EU considers vendors an extension of the companies they work with for the purpose of managing data breaches. This means that all contracts with vendors of this type must be updated to reflect that systems and practices have been put in place for GDPR compliance. As with individual businesses’ policies, these vendor contracts need to define consistent processes for how data is managed and protected, and how breaches are reported.
“As specific measures for the storage and treatment of personal customer data are subject to GDPR compliance, this requires a strong information governance foundation among global enterprises,” says Scott Wenzel of Database Trends and Applications. “This ensures that they can identify where personal data exists in their systems and assess how to mitigate the associated risks. It also allows companies to leverage the power of their data beyond GDPR compliance requirements and transform data into a valuable and ongoing corporate asset.”
He noted that an effective information governance strategy includes setting, managing, and enforcing data related policies and processes – essentially how a business collects and uses data. Wenzel suggests that enterprises can implement key best practices for executing a fool-proof information governance strategy to protect sensitive personal data and maintain compliance with all GDPR articles. These include taking stock of your data, centralizing information governance processes, and establishing data quality from the start of the process.
There is no question that it will take considerable effort to comply with GDPR. However, companies that take the necessary steps to do so will be rewarded not only with a lack of EU officials’ scrutiny but also with a stronger business able to withstand virtually any data breach effort.