Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Do you need to comply with GDPR?

If your company resides in the U.S., you might think the EU’s General Data Protection Regulation doesn’t apply to you. You may be mistaken.

You may not have considered it yet, but GDPR could have substantial impact on your company’s operations.

GDPR, the European Union’s General Data Protection Regulation (GDPR), took effect May 25, 2018. The regulation stipulates that if a company handles the personal data of anyone located in the European Union (EU), it must take steps to protect that data. Even if the data resides on a server in a non-EU country but handles the data of an individual in the EU, the data still needs to be protected according to GDPR requirements.

“If the personal relates to EU citizens and was used to monitor them or offer goods and services to them, or it’s data held by a EU data controller, then the EU laws apply,” said Rosemary Jay, a consultant attorney and coauthor of the book Guide to the General Data Protection Regulation.

This means American companies need to comply with GDPR. Those that do not may be vulnerable to fines as high 4% of revenue or 20 million euros—whichever is greater.

EU takes a stance on data protection

GDPR extends accountability of organizations responsible for protecting the personal data of Europeans, but it also introduces other concepts that increase the exposure of responsible parties.

Of course, data protection isn’t new to the European Union (EU). GDPR replaces the EU Data Protection Directive, which, was adopted in 1995, was the first EU-wide regulation on data protection. The directive provided a consistent set of rules on storing and processing personal data among EU member states, providing “data subjects” (individuals that the data identifies and to whom the data refers) a number of rights and remedies.

Prior to the EU Data Protection Directive, several European countries had individual data protection regulations in force dating back to the first one, which was enacted in 1972 in the German state of Hesse.

What’s new with GDPR?

With GDPR, seeking exemption from EU data protection regulation will be more complicated. GDPR introduces concepts that extend responsibility to companies previously unaffected by EU regulation. These concepts are the following:

  • Wider geographic scope. GDPR applies to organizations located outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. This is key to enlarging the geographic scope of the regulation and makes companies accountable whether they reside in the EU or not. GDPR also applies regardless of whether data processing occurs in the EU or whether payment is made for data handling.
  • Responsibilities lie with data controllers and data processors. The new accountability rules apply to data controllers (organizations or individuals who “determine the purposes and means of the processing of personal data”) and data processors (organizations or individuals who “process personal data on behalf of the controller”). This means cloud providers are not exempt, nor are organizations providing data storage or handling services to cloud providers.

Compliance with GDPR also increases the workload of responsible parties with well-defined concepts, including the following:

  • Transparency. Upon request, data controllers must provide confirmation to data subjects as to whether personal data is being processed, where, and for what purpose.
  • Conditions for consent. The request for consent must be presented in an intelligible and easily accessible form. Organizations must make it as easy to withdraw consent as it is to give consent.
  • The right to be forgotten. Data subjects can require the data controller to erase his or her personal data.
  • Data portability. The data subject can request that all personal data be transferred from one data controller to another.
  • Breach notification. Data controllers must now notify customers of a data breach within 72 hours. As for data processors, they must notify their customers (the data controllers) of breaches “without undue delay.”
  • Privacy by design: Organizations must be able to demonstrate that data protection has been designed into all systems that process personal data.

Noncompliance with GDPR comes with stiff penalties. Regulators can now impose the maximum fine of up to 4% of revenue, or 20 million euros—whichever is greater—on organizations that have either not obtained sufficient consent to process data or that have not adhered to the privacy-by-design concepts.

Data protection perspectives

The U.S. approaches data protection differently than the EU—and most of the differences are reflections of differences in history and culture.

“The U.S. has a primacy for freedom of expression in a way that is different from the European approach,” Jay emphasized. “In Europe, privacy is more important. Even within Europe, there are differences. In the Eastern European states, for example, there was real enthusiasm towards data protection after the breakup of the Soviet bloc. People have a living memory of what it’s like to be subject to constant surveillance.”

Nevertheless, data protection laws do exist in the U.S., and have since the 1990s. Whereas the European Union has taken a more overarching approach to data protection, the U.S. approach to rigorous protection has remained sector-specific.

“We have long had HIPAA [Health Insurance Portability and Accountability Act] for the healthcare sector; we have long had Gramm-Leach-Bliley for the finance sector,” said Rebecca Herold, a data privacy expert and author of several books, including Managing an Information Security and Privacy Awareness and Training Program.

These kinds of protections of individual data, particularly HIPAA, have brought steep penalties and fines. But in other industries, there are no comprehensive data protection regulations. Instead, there are hundreds of segmented privacy laws that are narrowly focused, such as the different breach notification laws in 54 different states and territories.”

As U.S.-based organizations wake up to the fact that they may be held responsible for protecting EU-based consumer data, they are often surprised to find out the extent of personal data that needs to be protected.

“GDPR is not just about implementing controls for healthcare customers or patients like HIPAA is,” Herold said. “It’s also about protecting all types of personal data, including data on employees and data on independent contractors. It’s even about people who submit job applications and resumes. Now organizations have to implement controls for all those people they may have no business ties with.”

How to comply with GDPR

GDPR will pose only a small challenge for U.S.-based organizations in the healthcare sector. “Healthcare organizations in the U.S. are already in pretty good shape,” Herold said. “They may have to update their policies and procedures, as well as their risk assessments to make those assessments fit the data protection impact assessments [DPIAs] specific to GDPR. They’ll also have to consider privacy harms to their patients, customers, and business partners—the employee data of those partners, for example.”

But organizations that have not yet dealt with regulations such as HIPAA have a bit of work to do to comply with GDPR. They should start with a GDPR DPIA or a GDPR-specific analysis to identify and fill gaps.

“The main thing is to make a plan, take action and exhibit documented due diligence,” Herold said.

For more Cisco resources on GDPR:

Pat Brans

Affiliated professor at Grenoble École de Management, and author of the book Master the Moment: Fifty CEOs Teach You the Secrets of Time Management, Pat Brans writes and teaches about cutting-edge technology and the business surrounding technological innovation. Previously, Brans worked in high tech for 22 years, holding senior positions in three large organizations (Computer Sciences Corp., then-HP, and Sybase).