Organizations around the world are getting ready for a new regulation that governs how they must handle data about European consumers, the General Data Protection Regulation or GDPR. Why are non-European companies preparing for this regulation? US-based consumers don't enjoy such protections. Indeed, US regulations appear to be going in the opposite direction if you consider the move in March to rollback broadband privacy regulations, enabling service providers to use consumer internet history to target advertising.
But you don't have to be a European company to deal with European customers. Any organization that stores or touches data coming from Europe will need to comply with this new regulation or pay stiff penalties -- up to 4% of annual revenue.
Experts note that "any US company with European customers in its database must fully comply for face big fines." A survey commissioned by Compuware found that 52% of large US companies store information that fits that profile. So chances are GDPR will affect you, even if you are in the US and work for a US-based company.
A couple of the basic elements of GDPR consumer protections include the following:
- The right to be forgotten. As a consumer in Europe, you are empowered to require a company to delete every bit of data they have about you.
- Data portability. If you are moving from one service provider to another, your provider must give you your data in a format that lets you transfer it from one service provider to another.
The good news is that enforcement on these new regulations go into effect in May 2018, so there is still time to prepare. But you'd better get started now, because you have a big job ahead of you.
That's just what ADP, best known as a payroll and human resources service provider serving companies around the world, is helping its corporate customers to do.
"Clients have been asking questions since GDPR was enacted a year ago," Cecile Georges, Chief Privacy Officer at ADP, told me in an interview. "Clients want to know what they have to do to comply."
While ADP doesn't provide legal advice, Georges did offer some ideas about where organizations should start with their GDPR compliance efforts.
The first step, she said, is to understand the regulation itself. Georges points out that GDPR is made up of 99 articles, so any efforts to comply will include gaining an understanding of how those articles apply to your individual business.
How do you do that? George's next recommended step is to perform a Gap analysis that inventories your organization's data processes now versus where they need to be to comply with the new rules. In this stage companies will need to answer questions such as who accesses the data? Where is it stored? Do you own the data?
"What companies do to comply will depend on the results of their individual Gap analysis, so the answer won't be the same for everyone," Georges said.
"If you collect and process data originating from Europe, even if you don't have a company or legal entity over there, you are required to comply with GDPR," George's said.
Companies with both European customers and non-European customers will need to decide if they want to create multiple compliance efforts -- a complicated undertaking. Do you have a separate program for your data and customers that touch Europe? Do you go to the effort, expense, and cope with the complexity of running two or more parallel compliance programs? Or should you instead create single program that endeavors to comply with the regulations of the strictest jurisdiction where the company does business. That's not an easy question to answer, George's noted. She sees some companies looking to create a hybrid approach.
How companies actually proceed remains to be seen. What about your company? How are you handing GDPR? Are you implementing multiple compliance programs within your company? Or are you following a GDPR-like compliance effort. Let us know in the comments.