GDPR isn’t just for tech companies in the European Union.
As a measure to improve the levels of protection of European Union citizens’ data, the European Parliament adopted the General Data Protection Regulation (GDPR) on April 14, 2016. It applies to ANY company that handles data of EU citizens. It was designed to harmonize data privacy laws across the EU. The regulation went into effect on May 25, 2018.
If you are a North American company doing business with anyone in EU countries you need to be aware of the following:
- The GDPR requires that any company doing business in the EU must securely collect, store and use personal information. No matter the size of the company. Small companies can still face fines for violations that may occur. You can’t claim you “only do business in California” if you actually collect and store tons of data on EU customers through your website.
- Fines for non-compliance can be as much as $21 million, or 4 percent of your organization’s annual worldwide turnover. Whichever is greater.
- The regulation upholds the “right to be forgotten.” Consumers can ask companies to remove personal data that they published publically. Then companies must comply.
- When you detect a data breach, the law requires companies to report breaches to consumers within 72 hours.
How Can North American Companies Handle GDPR?
- You need to educate employees in your company about the GDPR’s importance and the role they have to play.
- Organizations must have an inventory of all personal data they hold.
- Review all your current data privacy notices alerting individuals to the collection of their data. Some of these might need updating.
- Look over your privacy policies and procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
- Review current access rights and how they could change, update procedures, and plan how requests within new timelines will be handled.
- Assess your current methods of handling and/or processing data. You want to check that you’ve covered your legal obligations. Document any of your methods or procedures.
- Review how you’re requesting and tracking customer consent. GDPR requires you to ask, obtain, and record consent for data collection.
- Make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance.
- Review the procedures that are in place to detect, report, and investigate a personal data breach. Also, you should always assume a breach will happen at some point.
Compliance as a Competitive Advantage, or a Major Risk
Since the GDPR, some companies in North America are finding that expanding their business globally is more challenging. However, companies some will find that compliance gives them an edge when working with customers that require such compliance. Even before this new set of regulations, B2B companies were already discovering that cybersecurity was making or breaking new sales.
While there are tons of free resources and security tools, especially for small businesses and startups, companies have to make the choice to increase their security and privacy policies. Or take the risk of noncompliance and falling behind competitors.