GDPR, ever heard of it? In most cases, US based companies do not have any idea what you are talking about. GDPR, which is the General Data Protection Regulation, is a standard that was adopted by the European Union that could have a huge impact on US based companies and organizations. The basic initiative of GDPR is to protect the personal data and privacy of EU citizens. It started out only effecting EU states but has quickly grown into a standard that is required to protect EU citizens living and working in other countries. What it comes down to is if you are a US company that does business in, or with EU countries or if you have EU citizens that work in the US for your company then GDPR could affect your business.
What is the history of GDPR? The EU adopted GDPR in April of 2016, with a compliancy deadline of May 2018. All companies that work with or employee EU citizens must be compliant with the regulations. What does that mean to your business? The GDPR standards have been adopted by all 28 EU states, and the standards for data protection are high, which could require a big investment depending on the size of your organization. An additional burden could be the ongoing management of GDPR compliance which could require specialized training and management in order to remain within the standards outlined by GDPR.
Are you going to be impacted by GDPR? In a recent PWC survey, 92% of US companies consider GDPR to be a top data protection priority. However, in the same survey 54% of respondents said they plan to de-identify European personal data to reduce exposure to GDPR regulations. Some other interesting responses are the 32% of respondents said they plan to greatly reduce their presence in Europe, while 23% said they are planning on exiting Europe altogether.
Some of the basic guidelines around GDPR which are designed to protect the data of individuals and to give them access to their personal information are; the right to access your their data and once the request has been made the holding company must provide that data within a one month free of charge. Under GDPR guidelines, the individual also has the right to correct missing, incomplete or inaccurate data. They will also have the right to have all their data deleted, with some exceptions, but gives the individual a lot more control over their personal data. GDPR also gives the right to restrict processing and the right to move individual’s data and in these cases companies holding this data must provide it free of charge and in a commonly used format.
The GDPR guidelines will bring a universal standard for the reporting and management of data breaches. For example, guidelines will require that data breaches, which could include but are not limited to breaches where personal data has been lost, stolen or accessed by an unauthorized third party, must be reported within 72 hours of the breach. This requirement alone is going to require companies with lacking security processes in place to beef them up and become more in line with accepted industry standards than in the past. US based companies that work with or support organizations that do business in Europe that don’t have good security process in place or are not GDPR compliant could face fines imposed by GDPR guidelines.
So what should US based companies do in preparation for GDPR? First, accept the fact that at some point GDPR standards are most likely going to become US based standard either due to trade agreements, the manner in which companies are storing data all over the world in redundant data centers, or through legislation to curb cybercrime and cyber events that result in lost or compromised data. This all starts at the top of each organization. Leadership has to understand and make compliancy a priority for their IT departments. Implementation of a higher level of security standards from internal data protections, Internet protections, security awareness training, and ongoing risk assessments. Some areas of your IT functions that you will want to highlight and prioritize are; creating a plan around data protection, this will need to be a written plan that outlines your data protection strategy and how that aligns with the requirements of GDPR. Mobility, about 70% of corporate data is accessed through mobile devices, and a greater risk of being non-GDPR compliant comes into play because about 90% or organizations allow personal apps to be loaded on corporate devices. An incident response plan, remember you only have 72 hours to report a breach and to demonstrate your plan to respond to the breach. Ongoing assessment processes, this would include testing of your system and data structure, proof that you are reviewing and designing risk mitigation processes to reduce risk and stay in compliance with GDPR standards.
The bottom line is don’t think that GDPR is not going to affect you at some point. Cybercrime is a global problem and the protection of personal and corporate data is a high priority that is going to continue to increase. Many countries that are currently not members of the EU are reviewing and/or in the process of adopting GDPR standards to combat cybercrime so don’t think that the US is not going to jump on this at some point, so start preparing for it now.