Mention “GDPR” in the U.S., and you’ll likely get a blank stare.
Mention “GDPR” in any business conversation in Europe and just about everyone will know what you’re talking about. The problem is that they’re probably not completely sure what they’re going to DO about it.
Both fronts need to get up to speed on GDPR and set a strategy for dealing with it – and quickly.
Here’s a snapshot of what you need to know right now.
GDPR, or General Data Protection Regulation, is a new set of European rules and standards related to privacy and data governance. Here’s the trick: it’s not just for European companies, but for any company doing business in Europe or with European customers.
GDPR establishes a single set of data governance rules for Europe and assigns clear responsibility and accountability for enforcement of those rules. It requires the active consent of customers and gives them new portability powers to control the transfer of their own information. It sets up significant penalties for non-compliance. And for companies outside the EU: “the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents.” All of this goes into effect May 2018.
There is a temptation to assume nothing in GDPR is critically different. Europe has had data governance and data protection regulations since 1995.
So why all the fuss? Six big reasons:
- Unlike the previous EU Directive on data privacy, the new GDPR is an EU Regulation. This means it becomes immediately effective 25 May 2018 after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by national governments.
- The penalties for non-compliance are significant. Fines can be imposed up to 20m Euro or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83, Paragraph 5 & 6).
- Customer consent must be explicit. Valid consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). In addition, data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.
- The old escape clauses for non-European companies no longer work. Non-European companies utilized “Safe Harbor” provisions to comply with the original data protection regulation. In July 2000, the European Commission (EC) decided that US companies complying with the principles and registering that they met EU requirements could transfer data from the EU to the US. But the international Safe Harbor Privacy Principles were overturned on October 24, 2015 by the European Court of Justice after a customer complained that his Facebook data was insufficiently protected.
- Managing unstructured information and documents are key to compliance. According to the European Commission, “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life.” The Commission notes, “It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” Companies must be able to identify any place or document containing personally identifiable information (PII) and be able provide an index of that PII data to the customer if requested – an impossible requirement without a content management system.
- Extended chains of liability. If PII is being stored or handled by a cloud services provider or a document process outsourcer on your behalf, you retain responsibility for the data governance practices of your outsourcers.
According to IAPP-EY Annual Privacy Governance Report 2016, “For privacy and data protection professionals, 2017 may prove to be a watershed year.” Data governance challenges in the new GDPR cannot be left until the last minute – the time to get serious is right now.