The GDPR Takes Flight: What American Companies Need to Know

Companies are being inundated with the ever-changing landscape of data security, network security, cyber security and a host of other digital references that leave legal and compliance departments frustrated and looking for answers. This is especially true for small and medium-sized businesses or enterprises (SMEs) that operate without a litany of specialized attorneys and robust IT departments. With the General Data Protection Regulation (“GDPR” or “Regulation”) coming into force, companies are now responsible for additional compliance concerns, so what exactly do American businesses and SMEs need to know?  

The GDPR comes into force this May 2018 across the European Union (“EU”) and is undoubtedly the largest and most far-reaching global data privacy law in history. The GDPR was designed to give EU residents an opportunity to control how companies utilize their personal data. This includes how companies manipulate data for sales and marketing as well as for security purposes. The GDPR, in short, allows EU residents to own their data and dictate use of said data if an individual or business is using it for commercial purposes. In the United States and globally, companies have been able to manipulate data without legal recourse. The GDPR, although an EU regulation, sets the stage for improved data security and commercial use of individuals’ personal information across the globe. Multinational companies that gather data from EU residents will have to implement legitimate compliance controls to comply with the law.

What kind of data is protected?

The GDPR protects personal information and any data that is utilized to identify an individual, behaviors or other metrics typically used for commercial purposes. Under the GDPR, “personal data” is any information relating to an individual based on name, government identification number, location data, online identifier or other factors relating to physical, physiological, genetic, mental, economic, cultural or social identity. The Regulation also establishes special categories of data that are not ubiquitous but nonetheless important. These special categories include data that reveals the origins, political, religious and philosophical views along with genetics and biometrics for individual identification, data concerning health, sex life or sexual orientation.

Do American companies have to comply with the GDPR?

The short answer is yes. Any American company, whether large, medium or small, must generally comply with all aspects of the GDPR, if they gather personal information from EU residents. Some entities may be exempt from certain provisions of the Regulation, (i.e. Article 30, Records of processing activities) but these are specific exceptions. The GDPR is not only applicable to the businesses in the EU and its residents, but also to every other business that offers goods or services across the EU or in any member country therein.

What does the GDPR mean for American small and medium-sized companies?

Like all other business enterprises that must comply with the GDPR, small and medium-sized companies should ensure that they are employing knowledgeable compliance staff to develop programs with audit schedules, record-keeping controls, data processors, and officers. Companies may also benefit from third-party compliance firms that specialize in compliance outsourcing services. A third party will likely provide impartial feedback on your company’s GDPR program.

It should be noted that the GDPR provides some relief to SMEs under Article 30, but companies should not misinterpret this provision. Small and medium-sized businesses are not exempt from the Regulation. Article 30 simply relaxes processing controls for businesses that employ 250 employees or less. However, this wrinkle only applies if said company does not carry out activities that pose “risk(s) to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data.” In short, SMEs, regardless of their home country, should take appropriate steps to comply with the GDPR. Failure to develop an efficient program may invite scrutiny if your company engages EU residents on a consistent basis. The most relevant SMEs are tech companies, and they should pay close attention to the GDPR.  

Here is what American businesses should do to comply with the GDPR

The GDPR has numerous provisions and rules that should be thoroughly evaluated by an in-house compliance professional or an outsourced compliance consultant. Companies should set aside funds to invest in developing a data collection program. Such an investment will ensure compliance with the GDPR, but also with companies’ clients, customers and users. With so many companies having to comply with the GDPR, clientele and other stakeholders will organically become more concerned with data gathering. This snowball effect will come with increased scrutiny and more probing by consumers of products and services. This is not a negative consequence, but it is something compliance departments should prepare for and acknowledge. The following are general guidelines that should be implemented moving forward.

  • Analyze the data collected and processed

Businesses should first analyze the data collected from users and identify what is required under the GDPR.  Thereafter, businesses should analyze how the data is being processed, transmitted and eventually used. The GDPR outlines provisions for both data collection and data processing at every stage of the processing cycle.  

  • Review existing policies

Businesses should undertake a thorough review of their existing policies to make them GDPR compliant. This includes website policies (Terms of use, Privacy policy, Disclaimers, etc.) as well as commercial contracts with customers and vendors.

  • Develop and implement express consent policies

The GDPR requires user consent to be express, explicit, clear and specific and in an intelligible and easily accessible form, using plain language. Consent needs to be voluntary and in the form of a request separate from all other terms and conditions. Businesses should make suitable provisions to enable users to withdraw said consent.

  • Data Protection policies

Businesses should develop and implement a data protection policy with appropriate technical and organizational measures to implement principles outlined in the GDPR. 

  • Develop fair processing notices

The GDPR stipulates that users should be adequately informed on the how, what and why of data collection, recipients of data, data access procedures and timelines of data storage. Businesses should develop fair processing notices to keep the users informed.  Businesses should also make sure data is used solely for the purpose for which consent was obtained.

  • Appoint Data Protection Officers

The GDPR places a critical responsibility on businesses to identify and appoint a Data Protection Officer (‘DPO’).  The DPO shall be responsible for implementing and monitoring compliance with the GDPR.  The details of the DPO shall be adequately communicated to the users at the time of obtaining their consent for data collection.

  • Prepare for Data Access Requests

Users have the rights to access their data, correct inaccuracies, object to data processing or completely erase data held by businesses.  Businesses need to design and implement suitable policies for such access requests and comply within the required timelines (one month).

  • Undertake training and awareness programs

Businesses should train all internal and external stakeholders having access to personal data, specifically those involved in data collection and processing. Periodical training and awareness initiatives validate the compliance program.

  •    Reporting data breaches

In case of a serious data breach, businesses should report the nature, extent and consequences of breach along with the remedial measures to appropriate authorities within 72 hours, followed by a similar communication to applicable users.

Consequences of non-compliance

The consequences of non-compliance are hefty fines, so compliance is important. Supervisory authorities within the EU have investigative and corrective powers to monitor and impose such fines, so companies should monitor these developments and enforcement actions to ensure continued compliance as the GDPR unfolds.  While fines are problematic, non-compliance with the GDPR may demonstrate a business’ lack of commitment to earning customers’ trust and protecting clients’ prized personal information. This form of disregard can cause long-term, irreparable damage to a company’s reputation.     

If your organization is concerned about governance, risk mitigation, regulatory compliance, human resources management and ethics, we can help simplify things for you. Call us at 973-520-6131. You can also get in touch on our website at www.riddlecompliance.com. We’re passionate about supporting our clients with respect, transparency, and unparalleled expertise.