January reader favorite: GDPR will be a harsh wake-up call for most U.S. companies
While European businesses brace themselves for the May 2018 deadline to comply with the General Data Protection Regulation, recent surveys have shown that just 25 percent of U.S. companies believe the regulation applies to them. That misconception could end up costing them up to four percent of global revenues or €20 million (approximately $24.5 million), whichever is greater.
The regulation is designed to give consumers more control over their personal identifying data, including IP addresses, location and genetic data. It clearly outlines the rights of consumers, or “data subjects,” including the right to access, right to be forgotten and right to data portability, all aimed at improving transparency and data security.
Though GDPR is more of an evolution than a revolution in the way businesses capture, process and store third-party data, it will be transformational because it’ll reach beyond the borders of the EU, affecting any and every business that handles data belonging to European citizens, regardless of geographical location.
Further, GDPR will change consumer expectations for how their data is handled across the board, adding pressure to companies who may not be regulated. With such steep penalties for non-compliance just a few months away, it’s time for U.S. companies to understand how GDPR will impact their businesses.
So what should these U.S. companies expect when GDPR goes into effect? And what simple steps can an IT team take to make sure customer data — and their company — is protected?
No More Delayed Breach Disclosures
One of the key components of GDPR is the way it governs data breaches, giving companies just 72 hours to notify users if their personal data has been compromised.
In light of the massive data breaches we’ve seen at U.S. companies such as Equifax and Uber, and how long they delayed disclosing those breaches to the public — six weeks for Equifax and over a year for Uber — it’s clear that some US companies aren’t yet ready (or willing) to speed up their notification processes. These failures to disclose are a key reason more than two thirds of U.S. and UK consumers are concerned about how brands use their personal data.
GDPR technically only requires companies that have suffered a data breach to notify EU citizens. But unless these companies have internal IT systems and procedures that are structured in such a way that they can easily separate customer data by country, they will ultimately need to disclose the breach to all customers, or risk violating the law by missing even a single EU citizen.
IT teams should begin preparing for these possibilities now.
Start by clearly documenting what personal data you hold, where it came from and who you share it with. Then, sync with your customer communications team to review and update privacy notices, develop response procedures for customer requests for data access and deletion, and refresh methods of seeking, recording and managing consent.
While it’s a shame this sort of transparency had to be enforced by law rather than handled by good business practices, GDPR’s strict disclosure rules may help US companies rebuild consumer trust in the event of breach. Early notification is key for consumers to be able to take measures to protect themselves from those who would profit from stolen data, and GDPR will cut down on the time bad actors have to do significant damage.
US Version on the Way?
European governments have traditionally been at the forefront of data privacy legislation, but bilateral data-sharing agreements between the EU and the U.S. mean there will likely be a similar or complementary law on the books in the US.
From my perspective, it’s less of an “if” and more about “when” the US will adopt a version of GDPR.
Though the U.S. regulatory climate is in flux right now, it’s reasonable to expect this change within the next five years. U.S. businesses that currently operate or soon plan to operate within the EU must take action now to ensure compliance with GDPR. Even IT teams at companies that won’t be regulated should start acting like companies that are — they’ll be ahead of the curve when similar protections inevitably extend to US consumers.
One key way to get ahead is to appoint a data protection officer responsible for ensuring compliance with the law. Though GDPR only requires companies that employ more than 250 people or that process more than 5,000 data subject profiles per year to appoint a DPO, every IT team should designate a point person to spearhead the compliance effort.
Because of the complex system upgrades and internal process changes required for GDPR compliance, it’s safe to say that the shift will feel like a burden for IT, legal and HR teams at first. However, I see GDPR as a dose of tough love for organizations both inside and outside the EU. It serves as a forcing function for companies to modernize their data management systems, while improving how they communicate with, and relate to, their customers.
The upfront time and capital investment required to comply may initially be painful, but will ultimately create value for both businesses and their consumers. Smart IT and business leaders will approach GDPR as an opportunity rather than a new headache, and their customers will reward them for it.