As the Friday before Memorial Day weekend, many Americans see this May 25th as the unofficial kick-off for summer. Businesses around the world have been preparing for this day for months, however, and not with beach plans but with major investments to comply with the General Data Protection Regulation (GDPR) which goes into effect that day.
Passed by the European Union (EU) in April 2016, the GDPR requires businesses to protect the personal data and privacy of EU citizens in transactions that take place within EU member states. It also regulates the use of EU citizens’ data outside the union.
It’s that last part of the regulation and the threat of a substantial fine for violations that has prompted cybersecurity upgrades and improvements worldwide. Companies found violating the GDPR may be charged up to 20 million euros (over US $23,600,000) or 4 percent of revenue, whichever is greater.
I generally feel that it’s good to figure out how to be compliant with anything that can put you out of business. I’ve been hard at work for weeks to ensure my immigration law practice is compliant by the May 25th deadline.
What does the GDPR cover?
The GDPR has 99 articles that govern the collection, storage and usage of EU citizens’ personal data.
Personal data includes a wide range of commonly collected information. Names, addresses, ID numbers, IP addresses and cookies that your website collects, racial or ethnic data, health and genetic data, sexual orientation and biometric data all qualify. Even political opinions are deemed personal data.
The GDPR distinguishes between the roles of data controller (one who specifies the purposes for the data and how it is processed) and data processors (internal staff or outsourced partners who maintain and process personal data records) but holds them both responsible for compliance. Organizations are required to designate a Data Processing Officer (DPO) to oversee compliance inside and outside the firm.
In addition, personal data is only to be used for the purpose it was collected. An unapproved use of the data is grounds for a fine. That could be as simple as sending a newsletter to someone who did not agree to subscribe. EU citizens may request the deletion of their data and firms must comply.
If you collect and use any of this information from EU citizens, the GDPR applies to your company and any person or company that can access that information or that receives it in the course of doing business with you.
What does compliance look like?
I am the DPO for my firm. Our compliance will involve investments in new hardware and software as well as changes to the way my business operates.
The GDPR has many levels to ensure compliance. As a starting point I’ve had to think of all the data I collect, all the places it is stored, and all of the European firms and citizens I do business with.
While I have always been diligent and careful with personal data, I am now ensuring that not only are my hard drives and flash drives encrypted but that those of my staff are encrypted as well. Any other devices that store that data need the same protection.
I am implementing another layer of protection with encryption software and have invested in cybersecurity insurance.
As I turned my attention to the EU firms I work with, I realized that certain mundane communication routines will need to change.
I work with several European consulting firms. In the past, the owner of one of these firms – let’s call him Magnus for this example – would email me to say that he had a consultant that he wanted to send to the U.S. to work. He would sometimes include their email address and other personal information in the email for convenience.
We can’t do that anymore. Regular email is not a secure transfer of information.
I already have a secure database and clients have logged data directly in the past. Now all of my European clients and anyone handling EU citizen data will need to do that by law.
Doing Business with GDPR In Effect
By sharing some of the steps I am taking to comply with the GDPR I hope that you can see the high priority I put on the security of the data clients send and on their privacy. I also hope I have given you a clearer picture of what companies need to do to comply.
Please contact me if you have any questions on how we communicate and transfer data.