The General Data Protection Regulation (GDPR), which was ratified in 2016 and will be enforced in May 2018, requires companies to meet higher standards for the protection of personally identifiable information. As the deadline gets closer, many US corporations are wondering how GDPR will impact them.
How does the GDPR impact US corporations?
To put it simply, if your organization does business in the EU, offers goods and services to EU citizens, or processes EU citizen data, then the provisions of the GDPR apply. Most notably, US companies should be aware of the following provisions of the GDPR:
- More rigorous data security measures to protect the confidentiality, integrity, and availability of personal information, including provision for technical measures such as encryption. Data controllers and processors must limit collection only for the purposes for which consent was obtained;
- A higher bar for obtaining consent, which must be in the form of clear, affirmative action. This higher standard contrasts with the previous EU Directive, which allowed for implicit opt-out consent. This higher bar extends to tracking cookies designed to identify a device and/or individuals;
- New breach notification provisions with considerably more teeth, with fines that may potentially be as high as 4% of annual revenues. The definition of "data breach” is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This is in stark contrast to US companies, which only report data breaches that may result in fraud or identity theft”;
- Choice by which data subjects may opt-out of the disclosure or use of data, particularly when the intended disclosure or use is inconsistent with the original purpose for which the data was collected;
- Access by data subject to correct and delete any inaccurate information, including a “right to be forgotten”; and
- Cross Border transfer of EU citizen data must be subject to the adequacy standard. Furthermore, as a direct response to the Snowden revelations relating to the bulk collection of personal data, the European Commission and the US Department of Commerce have jointly developed a new framework for onward transfer under the EU-US Privacy Shield Framework, which supplants the previous Safe Harbor provisions.
Are US companies ready for the GDPR?
The 2016 Telstra Cybersecurity Report found that nearly 60% of organizations surveyed lack sufficient cyber security and privacy staff to handle the increasing demands of legal compliance.
Thus, it is no surprise that investments in data privacy best practices and technologies are on the rise. A PWC survey found that 68% of US companies are expected to invest anywhere from $1 to $10 million in GDPR readiness.
What investments should US companies focus on?
Consideration should be given to the following initiatives:
- Implementation of a robust corporate governance framework. A useful model to consider is the Information Governance Reference Model (IGRM). The IGRM model is an extension of the ARMA Generally Accepted Recordkeeping Principles;
- Data Privacy Impact Assessment to understand current collection practices relating to personally identifiable information and identification of related risks and measures to mitigate;
- Application of machine learning technologies, such as intelligent capture and classification to digitize incoming information, identify patterns in data collected, organize, preserve, and protect data consistent with GDPR requirements.
Having in place a well-defined and clearly articulated information governance best practice empowers organizations to not only mitigate risk, but also to leverage information assets for competitive advantage. A proactive information governance strategy will empower US organizations to comply with a more robust data privacy regime mandated by the GDPR.