The General Data Protection Regulation (GDPR) will come into force on May 25, 2018. This law significantly improves data protection for individuals and introduces new rules for all organizations that process and store the personal data of EU residents.
Does the GDPR apply to US companies?
Unlike compliance standards that are industry-specific or apply only to certain countries (e.g., HIPAA and GLBA), GDPR is a global requirement that applies to any organization in the world that works with the data of EU residents. This means that any US company that stores the personal information of EU citizens is subject to the GDPR, even if it has no physical presence in the EU.
Even though the deadline is looming, many organizations still don’t realize they have to comply with the GDPR. The NTT Security Report says that US organizations demonstrate the lowest level of awareness about the scope of the law; only a quarter of respondents understand that the GDPR will affect their organization. Forrester’s “The State of GDPR Readiness” reveals that nearly 30% of companies worldwide believe they are compliant, although they may not be. These organizations claim to implement all the necessary controls, but don’t perform activities that are critical for GDPR compliance, such as data discovery and classification exercises, gap analysis, or data protection impact assessment.
GDPR requirements for US companies: what are key facts to remember?
Here are the seven most critical facts about the GDPR that US companies need to know.
Fact #1. The GDPR applies to organizations across the world.
Unlike the 1995 Data Protection Directive, which applied to the EU only, the GDPR applies to any organization inside or outside the EU that stores or processes the data of EU citizens and residents.
US companies that don’t have a presence in the EU will also have to ensure that all international transfers of sensitive data are carried out in accordance with the rules approved by the European Commission (Article 46). There are frameworks that provide some mechanisms for secure international data transfers — such as the EU-US Privacy Shield and its predecessor, the Safe Harbor framework — but they are not sufficient for GDPR compliance.
Fact #2. Fines for non-compliance are steep.
Fines for non-compliance in GDPR depend on the infraction, and can vary from 2–4% of the company’s annual worldwide turnover or €10-20 million, whichever is higher. The most serious infringements include accidental destruction, loss, change or transmission of personal data, as well as failure to demonstrate explicit consent for data processing.
These fines are substantially higher than those of any compliance standards familiar to US companies. For example, the maximum fine for a HIPAA incident is $1.5 million, which is almost 10 times less than expected average fine for failing a GDPR compliance audit. For example, New York Attorney General Eric Schneiderman fined Hilton $700,000 for two data breaches that affected over 300,000 people and for failing to notify regulators for nine months after discovering the incident. The GDPR’s fine for the same event would be around $420 million (4% of Hilton’s revenue from the year prior to the breach).
Fact #3. Explicit consent is required for data collection and use.
US companies are used to the fact that customers’ data is collected and processed by default. But Article 6 of the GDPR requires organization to get explicit agreement (consent) for the collection and use of an individual’s personal data. This is an absolutely new requirement that doesn’t appear in any of the compliance standards in the US.
To comply with this GDPR requirement, organizations must have documented evidence that consent was given, and that all requests for consent are clear and concise. This might create problems for several types of US companies, such as those that use direct marketing and rely on data analytics.
Fact #4. The GDPR introduces new concepts and roles.
The GDPR introduces a number of concepts and roles that are either new for US companies or that appear under a different name in other compliance standards. One example is the role of Data Protection Officer (DPO), which is called “Compliance Officer” in HIPAA and GLBA, and “Security Officer” in PCI DSS. The GDPR requires organizations to designate a DPO to monitor compliance with the GDPR and provide advice regarding data protection to senior management.
Here are some other terms that are either new for US companies or have a different meaning compared to other compliance standards:
- Personal data — Any information relating to a data subject, or a person who can be identified by his or her name, identification number, location or other factors. Compliance standards in the US generally protect only certain types of data that can be used to commit fraud or identity theft, such as first and last names, Social Security or National Insurance numbers, and ID card numbers. The GDPR’s definition of personal data is much wider; it includes biometric and genetic data, political opinions, trade union membership, ethnic origin and more.
- Data controller — A person, public authority, agency or other body that determines the purposes and means of the processing of personal data. Data controllers are tasked with demonstrating that processing is performed in accordance with the regulation.
- Data processor — A person, public authority, agency or other body that processes personal data on behalf of the data controller.
- Privacy by design and by default — Organizations need to take data privacy into account during the design stages of all projects and ensure that, by default, only the personal data necessary for each specific purpose is collected.
Fact #5. Data subjects have extended rights.
The GDPR guarantees a much wider range of rights for data subjects that will help individuals gain better control over their data. In particular, EU residents that consented to entrust their data to US-based companies will have the right to obtain information about whether their personal data is being processed (Article 15), transfer their personal data between service providers (Article 20) and object to the processing of their data (Article 21).
Some EU residents have already started to use these rights — a good example is a female Tinder user who asked the company to grant her access to her personal data and received a 800-page summary of her activities in Facebook, Instagram and the Tinder app itself. The volumes of personal data that service providers store and process now are truly terrifying, so there is a good chance that more people will ask US companies to explain what data they use and for what purposes.
Fact #6. The GDPR guarantees the right to be forgotten (the right to erasure).
According to Article 17 of the GDPR, if an individual says that their personal data should no longer be processed, the data controller must immediately erase the data from all its systems or stop further dissemination of the data without delay. Although this is not a completely new requirement for US companies (it appeared earlier in the Safe Harbor framework), the right to erasure is one of the most important GDPR requirements and will have a significant impact on how US companies deal with personal data.
Fact #7. The GDPR has stringent rules about data breach notification.
According to Article 33, data controllers have to report a security breach to the supervisory authority no later than 72 hours after it is discovered. If a company fails to do so, it has to provide valid reasons for the delay.
This is significantly less time than mandated by any compliance standards that US companies are familiar with — HIPAA allows 60 days, and some standards, like SOX, don’t even specify an exact timeframe for breach notifications. According to the International Association of Privacy Professionals, the average timeframe for data breach notification in the US varies from 30 to 45 days.
What is GDPR impact on US companies?
The GDPR is designed to provide a unified and clear set of rules that enable stronger data protection in the digital age and help individuals gain better control of their personal information. Achieving compliance will require organizations in the US to completely change their cybersecurity mindset, update their security policies, and rethink the way they store and process customers’ sensitive data. But this is worth the effort. GDPR won’t kill you; it will actually make you stronger. You will get enhanced data security, improved data management and a competitive differentiation from organizations that lag behind in GDPR compliance. And you’ll be well prepared when the US passes its own regulations with similar requirements for consent, the right to be forgotten, data breach notification and so on.