GDPR - Don't Think It Won't Affect You!
by Scott Lewis
GDPR. Ever heard of it? In most cases, U.S.-based companies haven’t.
GDPR, which is the General Data Protection Regulation, is a standard that was adopted by the European Union and could have a huge impact on U.S. companies and organizations. The basic initiative of GDPR is to protect the personal data and privacy of EU citizens. It started out only affecting EU states but has quickly grown into a standard that is required to protect EU citizens living and working in other countries.
It comes down to this: If you are a U.S. company that does business in or with EU countries or if you have EU citizens working in the U.S. for your company, then GDPR could affect your business.
What is the history of GDPR? The EU adopted GDPR in April of 2016, with a compliance deadline of May 2018. All companies that work with or employ EU citizens must be compliant with the regulations. What does that mean for your business? The GDPR standards have been adopted by all 28 EU states, and the standards for data protection are high, which could require a big investment depending on the size of your organization. An additional burden could be the ongoing management of GDPR compliance, which could require specialized training to stay within the standards.
Are you going to be impacted by GDPR? In a recent PwC survey, 92% of U.S. companies considered GDPR to be a top data protection priority. However, in the same survey, 54% of respondents said they planned to de-identify European personal data to reduce exposure to GDPR regulations. Some other interesting responses were that 32% of companies said they planned to greatly reduce their presence in Europe, while 23% said they were planning on exiting Europe altogether.
Some of the basic guidelines around GDPR that are designed to protect the data of individuals and to give them access to their personal information include the right to access their data and once the request has been made, the holding company must provide that data within one month free of charge. The individual also has the right to correct missing, incomplete or inaccurate data. They also have the right to have all their data deleted, with some exceptions, but this gives the individual a lot more control over their personal data. GDPR also gives the right to restrict processing and the right to move an individual’s data, and in these cases, companies holding this data must provide it free of charge and in a commonly used format.
The GDPR guidelines will bring a universal standard for the reporting and management of data breaches. For example, guidelines will require that data breaches, which could include but are not limited to breaches where personal data has been lost, stolen or accessed by an unauthorized third party, must be reported within 72 hours of the breach. This alone is going to require companies with lacking security processes in place to beef them up and become more in line with accepted industry standards than in the past. U.S.-based companies that work with or support organizations that do business in Europe that don’t have good security processes in place or are not GDPR-compliant could face fines imposed by GDPR guidelines.
So what should U.S.-based companies do in preparation for GDPR? First, accept the fact that at some point, GDPR standards are most likely going to become U.S.-based standards, due to trade agreements or the manner in which companies are storing data all over the world in redundant data centers or through legislation to curb cybercrime and cyberevents that result in lost or compromised data.
This all starts at the top of each organization. Leadership has to understand and make compliance a priority for their IT departments. This involves implementation of a higher level of security standards for internal data protections, internet protections, security awareness training, and ongoing risk assessments.
One area of your IT functions that you will want to highlight and prioritize is: creating a plan around data protection. This will need to be a written plan that outlines your data protection strategy and how that aligns with the requirements of GDPR. Next think about mobility. About 70% of corporate data is accessed through mobile devices, and a greater risk of being non-GDPR-compliant comes into play because about 90% of organizations allow personal apps to be loaded on corporate devices. Also have an incident response plan. Remember — you have only 72 hours to report a breach and to demonstrate your plan to respond to the breach. Finally, use ongoing assessment processes. This includes testing of your system and data structure and proof that you are reviewing and designing risk mitigation processes to reduce risk and stay in compliance with GDPR standards.
The bottom line is: Don’t think GDPR is not going to affect you at some point. Cybercrime is a global problem, and the protection of personal and corporate data is a high priority that is going to continue to increase. Many countries that are currently not members of the EU are reviewing and/or in the process of adopting GDPR standards to combat cybercrime, so don’t think the U.S. is not going to jump on this at some point. Start preparing for it now.
Scott Lewis is the president and CEO of Winning Technologies Group of Companies. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. He has worked with businesses to empower them to use technology to improve work processes, increase productivity and reduce costs. He has designed thousands of systems for large, medium and small companies, and Winning Technologies’ goal is to work with companies on the selection, implementation, management and support of technology resources. For more information, visit www.winningtech.com or call 877-379-8279.