The European Union (EU) General Data Protection Regulation, or GDPR, is setting a new standard for consumer data privacy. It becomes effective May 25, 2018. What does this mean for U.S. companies? First, what is GDPR?
The GDPR will bring about some serious changes in data privacy and will affect anyone who is present in the EU, along with any company that handles the data of EU consumers, which would include companies across the world, including the United States. GDPR’s mission is to give control back to the people and to ensure that everyone has the right to consent to the use of their Personally Identifiable Information (PII).
According to the UK’s Information Commissioner’s Office, GDPR applies to both controllers and processors, placing further obligations on both to protect of records of personal data.
Controllers determine how and why personal data is processed, with processors acting on the behalf of controllers. If you are a processor, the GDPR places specific legal obligations on you, for example, you are required to maintain records of personal data and processing activities and you will have significantly greater legal liability if you are responsible for a breach.
Will GDPR impact the way American businesses manage sensitive data? CompuData’s Client vCIO Andrew Rosado provides answers.
Andrew Rosado: It’s important for American companies currently serving clients in the EU to realize that GDPR will impact the way they manage sensitive information. Complying with GDPR’s information management standards is a priority and really, in many ways, it is an opportunity overall for companies in the United States to step back and take a solid assessment of their information management best practices. The handling of PII across multiple systems is vitally critical – there is a huge level of accountability in the management of a person’s information. What the EU is saying with GDPR is ‘Look, we’re giving the people the right to control what is happening to their personal data – where it is, who can access it and the power to request deletion of it’ and this is a very good thing for all of us. Europe is very good about looking out for the rights and privacy of its people – Europe is backing consumers, not companies, when it comes to the use and control of personal data. It’s also important for companies using CRMs, databases, etc., to contact their vendors to inquire how they are coping with the changes and how their platform/solutions will adjust to meet the new regulation.
So, when it comes to GDPR, it’s really about accountability – what is happening to an individual’s personal information, and how companies are accountable for that information management?
Andrew Rosado: Exactly! Does a person really know what is happening to their data? Probably not. GDPR is calling for accountability and a higher level of transparency in the way a company processes personally identifiable information. GDPR is calling for new compliance standards in information management to drive a level of transparency we haven’t seen before – this is a very good thing for consumers. It’s important to note that most companies simply store information – including PII – for normal business needs. Most do not resell user data or information – at least not in the SMB space. Still, it is important for all businesses to address the questions that surround GDPR – before they are asked similar questions by their clients, employees, vendors or consumers.
What can a company do to prepare for GDPR?
Andrew Rosado: For U.S. businesses doing business with clients in the EU – and quite honestly this would be a best practice for all businesses, in general – the time has come to do a thorough data management systems check, an information management audit, if you will. Businesses today need to have technology savvy person or persons in place to oversee information management, governance and compliance. GDPR calls this position a Data Protection Officer, and typically this could be a CIO or a chief compliance officer at an organization – someone who is tech savvy and understands the policies, procedures and best practices an organization must adhere to in order to remain complaint to regulatory requirements.
Andrew Rosado: A needs assessment is a deep dive systems check into how a process or processes are being conducted, managed, maintained and sustained. It’s a big deal. An information management audit allows a company to ask tough questions and face hard truths about everything from where their data is stored, to emailing practices, file structures and more.
- Where are you saving your files – Dropbox, internal servers, on workstations?
- Who has access to your files?
- Are you monitoring daily operations, policies and procedures when it comes to information management?
- Do all employees have an awareness of information management policies and expectations? When are employees exposed to company information management expectations?
- How are you dealing with sensitive information?
- What are your best practices for managing personally identifiable information – are these in line with specific information governance requirements targeting your industry or market?
- If a client contacted your company right now requesting all their personally identifiable information be deleted from your system immediately – could you quickly comply?
- Do you have a Data Protection Officer?
Answering these questions is a great start in building a better information management roadmap for any U.S. company concerned with the requirements of GDPR.
Andrew Rosado: Absolutely! It most certainly is – and really that is the best call to action GDPR brings to American businesses right now overall. GDPR is a wakeup call – Europe is sounding the alarm for businesses to be more accountable to their information management practices and U.S. businesses need to take notice. Information management and compliance is only going to be more stringent and regulated over time. We are seeing the signs of this now. It makes all the sense in the world for companies, right now, to take a step back and evaluate their current information management practices. Now is the time for businesses to ask themselves if their information management practices are all they can be and if their cybersecurity best practices will ensure all data is protected. Regardless of GDPR’s direct impact on American businesses, now is the time for all businesses to ask themselves, when it comes to information management of sensitive client data: Are we doing enough – and are we transparent enough?
Need more GDPR guidance? Contact us today.