GDPR Influencing U.S.
Do you have business in Europe? Does your data include European citizens' information even if it is stored outside Europe? If so, you will be required to conform to the General Data Protection Regulation (GDPR). This is a law passed by the European Union (EU) in 2016 (effective May, 2018) to protect EU private citizens' identity rights and reduce identity theft. GDPR applies to any business operating in the EU, no matter where the organization is physically located. This is true whether you have a contact center or just a website that collects citizen data. All sensitive, personal information relating to EU citizens must be stored securely and protected according to the GDPR requirements.
I reached out to Angelo Spenillo, General Counsel for Siteimprove North America, for expert comments on the implications of GDPR and what U.S.-based companies need to do to prepare. Here's some of his insight:
How Does GDPR Affect Websites?
If your website sells goods and services to, or simply tracks behavior of, European citizens, then the GDPR can apply to your website and how you treat the personal data that you collect. Failure to comply with the GDPR's standards on processing personal data by the May 25, 2018, deadline can result in massive fines for your company -- up to €20 million (~$23.7 million USD) or 4% of annual global turnover, whichever is greater.
How Does GDPR Affect an Organization (IT, Users)?
The GDPR requires that organizations become more aware of the personal data they collect and process, the various inflows and outflows that can impact that personal data, and what can and cannot be done with that personal data. Documenting these items is important to demonstrate accountability and compliance with the GDPR. As a result, this documentation is likely to be where organizations feel the biggest effect of the GDPR.
What Policies Should Be Instituted for GDPR?
There are too many policies to individually list them all, but a good starting place is a policy on the inflow and outflow of personal data for an organization. While implementing this policy can be tedious, it is easier to maintain once the existing data flows have been recorded and employees are trained on the process to record new data flows.
How Do You Go About Enforcing Compliance?
The massive fines for non-compliance with the GDPR are encouragement enough for companies to make the necessary adjustments ahead of the May 25, 2018, deadline. However, it is essential that organizations appoint an internal team to monitor compliance and hold individual units accountable to GDPR standards. These requirements are not static, but rather will be dynamic beyond the deadline, and organizations will be expected to continually ensure that as personal data flows are added, modified, or removed, those data flows remain compliant with the GDPR.
How Do You Assess the Data You Already Have?
GDPR compliance is a company-wide effort requiring input from every department. For that reason, it is critical to poll departments on any systems they use to gather personal data (names, emails, addresses, etc.). From that information, a high-level inventory can be compiled, and organizations -- with assistance of their GDPR compliance team -- can assess:
- What data is "personal" and subject to the GDPR
- How each category of personal data needs to be treated in accordance with the GDPR
- What changes -- if any -- need to be made to policies and processes in handling that personal data
It is critical to conduct manual inquiries internally, as the GDPR pertains to all personal data of EU citizens that a company controls or processes.
What Do You Do When You Collect New Data?
Any GDPR-compliant organization needs to have a process in place by which it can identify, categorize, and document a new flow of personal data. Many organizations are grouping this process under the Privacy Impact Assessment (PIA), which is required under the GDPR. The PIA is a vetting process by which an organization can assess the personal data to be collected and what protections need to be in place to maintain GDPR compliance.
In my correspondence with Spenillo, I found it hard to obtain answers for questions around qualifications and responsibilities of the data protection officer (DPO). My previous No Jitter blog, "GDPR: From the EU to US," includes comments around the role and function of the DPO. The actual requirements for the DPO position will vary based on the organization structure and how it divides up responsibilities around security, privacy, and compliance. There is no universally accepted job description yet.
With the compliance deadline fast approaching and significant fines imposed for non-compliance, businesses should kick start their efforts towards meeting the new standards of data protection. Wait and you will lose.
Join Gary at Enterprise Connect 2018, where he'll be presenting in the session, "Trends in Session Border Controllers: Virtualization & Security," taking place Tuesday, March 13, at 8:00 AM. If you haven't yet registered for Enterprise Connect (March 12-15), register now using the code NOJITTER to save an additional $200 off the Advance Rate or get a free Expo Plus pass.