If your company resides in the U.S., you might think the EU’s General Data Protection Regulation doesn’t apply to you. You may be mistaken.
You may not have considered it yet, but GDPR could have substantial impact on your company’s operations.
GDPR, the European Union’s General Data Protection Regulation (GDPR), took effect May 25, 2018. The regulation stipulates that if a company handles the personal data of anyone located in the European Union (EU), it must take steps to protect that data. Even if the data resides on a server in a non-EU country but handles the data of an individual in the EU, the data still needs to be protected according to GDPR requirements.
“If the personal relates to EU citizens and was used to monitor them or offer goods and services to them, or it’s data held by a EU data controller, then the EU laws apply,” said Rosemary Jay, a consultant attorney and coauthor of the book Guide to the General Data Protection Regulation.
This means American companies need to comply with GDPR. Those that do not may be vulnerable to fines as high 4% of revenue or 20 million euros—whichever is greater.
GDPR extends accountability of organizations responsible for protecting the personal data of Europeans, but it also introduces other concepts that increase the exposure of responsible parties.
Of course, data protection isn’t new to the European Union (EU). GDPR replaces the EU Data Protection Directive, which, was adopted in 1995, was the first EU-wide regulation on data protection. The directive provided a consistent set of rules on storing and processing personal data among EU member states, providing “data subjects” (individuals that the data identifies and to whom the data refers) a number of rights and remedies.
Prior to the EU Data Protection Directive, several European countries had individual data protection regulations in force dating back to the first one, which was enacted in 1972 in the German state of Hesse.
With GDPR, seeking exemption from EU data protection regulation will be more complicated. GDPR introduces concepts that extend responsibility to companies previously unaffected by EU regulation. These concepts are the following:
Compliance with GDPR also increases the workload of responsible parties with well-defined concepts, including the following:
Noncompliance with GDPR comes with stiff penalties. Regulators can now impose the maximum fine of up to 4% of revenue, or 20 million euros—whichever is greater—on organizations that have either not obtained sufficient consent to process data or that have not adhered to the privacy-by-design concepts.
The U.S. approaches data protection differently than the EU—and most of the differences are reflections of differences in history and culture.
“The U.S. has a primacy for freedom of expression in a way that is different from the European approach,” Jay emphasized. “In Europe, privacy is more important. Even within Europe, there are differences. In the Eastern European states, for example, there was real enthusiasm towards data protection after the breakup of the Soviet bloc. People have a living memory of what it’s like to be subject to constant surveillance.”
Nevertheless, data protection laws do exist in the U.S., and have since the 1990s. Whereas the European Union has taken a more overarching approach to data protection, the U.S. approach to rigorous protection has remained sector-specific.
“We have long had HIPAA [Health Insurance Portability and Accountability Act] for the healthcare sector; we have long had Gramm-Leach-Bliley for the finance sector,” said Rebecca Herold, a data privacy expert and author of several books, including Managing an Information Security and Privacy Awareness and Training Program.
These kinds of protections of individual data, particularly HIPAA, have brought steep penalties and fines. But in other industries, there are no comprehensive data protection regulations. Instead, there are hundreds of segmented privacy laws that are narrowly focused, such as the different breach notification laws in 54 different states and territories.”
As U.S.-based organizations wake up to the fact that they may be held responsible for protecting EU-based consumer data, they are often surprised to find out the extent of personal data that needs to be protected.
“GDPR is not just about implementing controls for healthcare customers or patients like HIPAA is,” Herold said. “It’s also about protecting all types of personal data, including data on employees and data on independent contractors. It’s even about people who submit job applications and resumes. Now organizations have to implement controls for all those people they may have no business ties with.”
GDPR will pose only a small challenge for U.S.-based organizations in the healthcare sector. “Healthcare organizations in the U.S. are already in pretty good shape,” Herold said. “They may have to update their policies and procedures, as well as their risk assessments to make those assessments fit the data protection impact assessments [DPIAs] specific to GDPR. They’ll also have to consider privacy harms to their patients, customers, and business partners—the employee data of those partners, for example.”
But organizations that have not yet dealt with regulations such as HIPAA have a bit of work to do to comply with GDPR. They should start with a GDPR DPIA or a GDPR-specific analysis to identify and fill gaps.
“The main thing is to make a plan, take action and exhibit documented due diligence,” Herold said.
Affiliated professor at Grenoble École de Management, and author of the book Master the Moment: Fifty CEOs Teach You the Secrets of Time Management, Pat Brans writes and teaches about cutting-edge technology and the business surrounding technological innovation. Previously, Brans worked in high tech for 22 years, holding senior positions in three large organizations (Computer Sciences Corp., then-HP, and Sybase).