The European Union’s General Data Protection Regulation (“GDPR”) was enacted in 2016, and gave affected companies until May 25, 2018 to become compliant. The GDPR is complex and far-reaching. Becoming compliant and maintaining compliance is no easy task.
In a survey conducted by the Ponemon Institute in April of 2018, half of the 1,000 companies questioned said they would not be compliant by the deadline. Somewhat surprisingly, over 60% of companies in the tech industry said they weren’t ready either. The new regulation is filled with ambiguities, and clarification will only come with time and careful observation of how regulators choose to enforce the law.
The GDPR applies directly to companies and residents located in the EU. However, the law also applies to many US-based companies. In general, any company that has employees or customers in the EU will have to comply with GDPR.
Penalties for non-compliance can be harsh, with maximum fines being 4% of a company’s revenue (not profits). For example, a company like Amazon who typically reports large revenues, but small profits could be fined upwards of $7 Billion under the GDPR. While most industry experts believe such hefty penalties will be reserved for only the most serious violations, the wide range of potential fines and uncertainty about regulation enforcement has created additional risk and uncertainty for businesses.
GDPR compliance has created a cottage industry of consultants, attorneys and PR firms who specialize in reviewing a company’s existing data and data management processes, and in implementing new programs and procedures to ensure GDPR compliance. Whether you outsource compliance, or develop in-house expertise, managers at every level need to have a basic understanding of what GDPR requires of companies.
Here’s a list of key GDPR terms and concepts:
- Key Provisions:
- Permits users to see, correct and delete the data that concerns them
- Companies are required to provide notice of data breaches within 72 hours of a breach
- A company’s data policies must be transparent to the average person (i.e. the privacy information must be readily available and not buried in legalese)
- There are different rules for different types of data. For example, “Special Categories” of sensitive data like medical records or children’s data require companies to take special precautions
- GDPR Casts a Wide Net. The law applies to any business that has data processing related to the offering of goods or services to customers residing in the EU. This includes any business that monitors the online behavior of users, such as tracking users for internet-based marketing.
- “Data Subjects”. EU residents have the right to request access to review personal information gathered by companies. These users are referred to as “data subjects” in GDPR, and they can ask for their information to be deleted, to be corrected if its incorrect, and to even get it delivered to them in portable form.
- Consent Must be Given. Companies who intend to collect and use their customers’ data must obtain consent. In addition, the company must provide the customer the ability to withdraw their consent at any time.
- Responding to Data Subjects’ Requests. A major part of GDPR compliance is setting up internal infrastructures so that data requests can be responded to. At a minimum, companies will have to identify what data they have and where it is stored (and in many cases, the data is stored in multiple places).
- Honeymoon-Period to address Ambiguities. GDPR is complex and filled with ambiguities. How it actually works in practice will depend on how regulators choose to enforce it. Eventually, norms will emerge: who the regulators go after, what kind of penalties are levied for what kind of behavior, and how much of that 4% revenue they’ll extract from offenders. The general assumption is that EU regulators will recognize a honeymoon period while everyone figures out how the law is going to work.
- GDPR Enforcement is based in part, on the Users. Generally, a user must submit two filings before a company will be at risk of GDPR enforcement actions. A company has 30 days to respond after an EU resident submits a data subject request. If an unprepared company fails to respond, the data subject may file a complaint with their local regulator. At that point, it’s on the regulator to enforce the law. Actual enforcement, and the type, size and speed of enforcement (investigation and fines) will depend on the workload (the number of complaints filed) and the regulator’s workforce.
GDPR compliance may appear to be a daunting task at first blush. However, getting started down the road of GDPR-compliance is easy. First, companies need to determine what data the company controls and where it is stored. This is not typically a job for lawyers, and usually requires a cross-company effort with members from IT and HR making large contributions. Second, as you develop your GDPR procedures, companies should carefully document their plan and actions. This step is particularly useful if you have a violation. Most industry experts believe that regulators will recognize good-faith attempts to comply, so being able to present clear and up-to-date compliance records will help garner a favorable review from regulators.