GDPR goes into effect May 25. Are you ready? And, to that end, do you even know if it applies to you?
GDPR is the General Data Protection Regulation, a four-years-in-the-making rule approved by the European Union Parliament on April 14, 2016. GDPR replaces the old “Data Protection Directive” and is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy,” the rule’s oversight page says.
Fine, but why should you care?
American (and Canadian) companies may find they need to comply with GDPR changes as well, notes IT Governance.
These data-processing rules reach beyond the EU
The GDPR:
- Increases the territorial scope of who comes under the standard’s protections by extending extra-territorial applicability to cover data whose processing takes place both inside and outside of the EU.
- Establishes stiff penalties (up to 20 million euros).
- Strengthens the conditions for consent in part by making those conditions intelligible and in plain language.
Also included in the rules are standard breach notifications, the right to access, the “right to be forgotten,” portability, privacy by design, and the establishment of data protection officers.
GDPR Impact on U.S. Businesses: Evaluate your European connections
“Canadian and US companies with any connection to Europe–whether through subsidiaries, customers, or suppliers–stand to be affected,” IT Governance noted. “Companies should therefore take steps to determine whether the GDPR is applicable, and consider revising their information handling processes to ensure compliance.”
Is this you? Affected companies, which run the gamut from financial institutions to retail vendors, include those that have a presence in the EU or process the personal data of EU residents, explained CSO Online.
Good news: Those companies that already live by the rules of the Health Insurance Portability and Accountability Act (HIPAA) may find some of the provisions of the GDPR sound pretty similar. In some cases, IT Governance said, “GDPR compliance steps will supplement existing measures that many North American organizations adopt as a matter of good practice or to comply with sector or state privacy laws.”
Plus, North American companies that hop on the GDPR wagon will enjoy customer trust, improved brand image, better data governance, and expanded information security.
Assess Risk & Cybersecurity Policies
Consultants Baker Tilly recommend that North American companies affected by GDPR bring in help and make broad assessments:
- Involve stakeholders;
- Evaluate your current cybersecurity management program and determine if it includes data privacy and protection elements which comply with GDPR;
- Conduct a GDPR readiness and risk assessment;
- Consult legal counsel; and
- Execute risk mitigation measures.
You should also prepare by getting your checkbook ready, added PwC, which surveyed U.S. companies about the regulation.
“Securing a $1 million budget for data privacy has been more an exception than a rule for many American corporations,” the company noted in a report. “The GDPR’s potential 4% fine of global revenues, however, has changed budget appetites for mitigating this GDPR risk. While 24% of respondents plan to spend under $1 million for GDPR preparations, 68% said they will invest between $1 million and $10 million. Nine percent (9%) expect to spend over $10 million to address GDPR obligations.”
Smart: And there’s another course of action you can take, PwC added: A good number of U.S. corporations said they plan to de-identify European personal data to reduce their exposure.
Oh—and feeling like you’re behind on your compliance work? You may indeed have a lot of catch-up to do. When queried in April, only 3.3% of affected companies said they had completed just 25% of the required work.