Much has been written in Europe about the General Data Protection Regulation (GDPR), a new set of legislation due to come into effect on May 25, 2018, and billed as having the greatest impact on data collection, storage and usage of any regulation in the last 20 years. Fundamentally, from this date, organisations will need to obtain positive consent from customers and employees within the EU, to use data for stated purposes only and to erase it within specific time frames.
So far, most businesses have looked at GDPR as being an EU-only issue, meaning US companies do not need to worry about it. This is however simply not the case. Any US-based organisation that conducts business in the EU or with people in the EU (even if the company itself is not located there) may be subject to GDPR. For example, if a US business uses data collected from people in EU member states for the purpose of targeted advertising, they are subject to GDPR. If a US business conducts e-commerce and accepts money in the currency of an EU member state, they are subject to GDPR. You get the picture…..
The list of examples of how a US company can fall into GDPR scope goes on and on, and in order to be compliant, at a minimum, the company’s website should have a consent check box where the default acceptance value is null (not defaulted to being checked).
The key here is the territorial aspect of GDPR, which is different from the 1995 EU Data Protection Directive in that if the US company has collected data on individuals while they are located in the EU then they must comply with GDPR. Conversely, if an EU citizen is in the US and uses a website which is designed to be in the US, then GDPR does not apply. Also, if a website is considered global and does not use the language of, or accept the currency of, an EU member state, then GDPR will likely not apply.
The repercussions for a US-based company that fails to comply with GDPR are the same as for an EU-based company, with a fine of either €20 million or 4 per cent of annual worldwide turnover, whichever is greater. This could be a significant blow to a US small-to-medium sized business that is unaware of the new laws.
Here Brickendon takes a brief look at what US firms should be looking out for to ensure they don’t fall foul of the new GDPR legislation:
Scope of personal data: The definition of personal data has been expanded to include not just name, and address, but also other types of data, including IP addresses and system IDs or cookies. Even the account mnemonics often used by financial companies to specifically identify individuals are now included.
Justification for processing and consent: GDPR raises the bar for the ‘legitimate interest’ required for collecting and processing personal data. Individuals must be presented with the business purpose for each collected item at the exact time of collection. Explicit consent is required for data to be collected and processed. Consent can be retracted at any point, and can never be considered implicit (i.e. no pre-ticked boxes).
Security, liability and data breach notification: Under GDPR, both the data collector and processor are responsible for the security of the collected data. In the case of outsourcing, third-party vendors can only be chosen from partners that can ensure full compliance with GDPR and all contracts must be future-proofed with clear stipulation of the responsibilities and the data protection requirements. In the event of a breach, companies must report it to the local Data Protection Authority without undue delay, and no later than 72 hours after the occurrence.
Fines and enforcement: The fines for non-compliance are one of the biggest changes GDPR brings, ranging up to €20 million, or 4 per cent of a firm’s global turnover, whichever is greater.
Data protection officers: Under current regulation, firms can voluntarily appoint a Data Protection Officer (DPO) to oversee the handling of data within the company. However, under GDPR, DPOs are mandatory for certain cases. The DPO should be a domain expert, and there is talk about special certifications and standardisation of knowledge to evidence competency. The DPO function can be outsourced and shared with other companies.
International data transfers: Data can only be transferred to countries on an approved list, with a satisfactory level of protection.
Data portability: Under GDPR, individuals are able to ask for personal data collected about themselves to be provided in a readable format without any hindrance from the Data Controllers. The individual can then provide this data to any other vendor who should be able to fully integrate it into their own systems.
As well as the obvious – avoiding the fines and potential reputational damage of non-compliance, there are also benefits to ensuring your firm complies with the new legislation wherever it is based. These benefits, including lower admin costs, consistency, compliance, and client satisfaction, are real and have the potential to transform into increased revenue for financial services firms, especially if you stand out amongst your peers.
As with any legislative change, the key is to see complying with GDPR not as another regulatory burden, but as an opportunity to make the way you handle data a selling point, and a strong platform to grow and evolve in today’s data-driven world. Becoming compliant is as much about the journey as it is about the destination.
To find out more about what GDPR means for you and your business, see our insight paper GDPR, are you prepared? or our case studies: