The EU law went into effect May 25 – and heavy fines await U.S. companies that aren’t in compliance
Beginning on May 25, companies that collect data on citizens of the European Union (EU) must meet the high standards of the General Data Protection Regulation (GDPR) – or face steep financial penalties.
But a 2017 study by Veritas Technologies found that while 31 percent of companies worldwide believed they were GDPR compliant – only 2 percent were correct. Gartner predicts that more than 50 percent of organizations affected by the GDPR will still not be in full compliance with its regulations by the end of 2018.
These statistics are alarming since companies that violate the new law face maximum fines of more than $23 million or four percent of the company’s total revenue after taxes – whichever is higher. In fact, the law allows companies to be fined just for having a security breach.
The GDPR is seen by many as a groundbreaking victory for consumers and is expected to set a new standard for consumers’ rights regarding their own data. But many American companies are still struggling to understand what that means for the way they do business in the EU – and what systems and processes they need to add or change to comply.
Here’s what every U.S. company needs to know about the GDPR:
What is the GDPR?
The EU created the GDPR to give its citizens better control over their personal data – including where it is stored, the purpose, and the ability to erase it. It was adopted by the European Parliament in April 2016 to replace an outdated data protection directive from 1995 – well before the Internet became integral to business.
In a nutshell, the GDPR sets rigorous requirements for how businesses and the public sector protect the personal data and privacy of the EU’s 750 million citizens for transactions that occur within EU member states. It mandates that organizations categorize, record, and specify how long someone’s data has been held and when it will be deleted.
That includes the use of data in targeting consumers for marketing campaigns and gathering information based on their digital behavior. The law also regulates the exportation of personal data that belongs to EU citizens.
There is a lot of room for interpretation: For instance, the GDPR requires companies to provide a “reasonable” level of protection for personal data but doesn’t define what that means. Unfortunately for businesses, such vague language gives the GDPR’s overseers a lot of discretion when it comes to assessing fines for data breaches and non-compliance – making it more important than ever that companies adopt many cybersecurity best practices.
About two-thirds of U.S. companies believe that the GDPR will force them to rethink their strategy in Europe.
What are the law’s key requirements?
Basically, covered entities must respect the rights of data owners. They must be transparent about how data is handled and receive consumers’ permission before using it.
Personal data must be gathered under strict conditions and is protected from misuse and exploitation. Consumers must also be given a variety of ways to control, monitor, check, and delete any information about them that they want.
- Requiring consent for data processing
- Giving people more control over personal data by granting them a “right to portability” (easy transfer between service providers), a “right to erasure” (the ability to direct a company to erase their personal data under specific circumstances), and a “right to be forgotten” (organizations must be able to remove all of someone’s data within 24 hours).
- Requiring companies to take “reasonable” measures to protect consumers’ personal data and privacy against loss or exposure.
- Protecting privacy by ensuring that the collected data is anonymous.
- Mandating that companies report data breaches within 72 hours to Supervising Authorities.
- Requiring the safe handling of the transfer of data across borders.
- Requiring companies to appoint a data protection officer to oversee GDPR compliance if they process data that reveals certain types of personal information, including someone’s genetics, health, racial or ethnic origin, or religious beliefs. This rule applies even if the data is only collected for HR purposes.
What types of data does the GDPR protect?
The GDPR takes a broad view of personal identification information. It demands the same level of protection for a consumer’s cookie data as it does more commonly protected areas such as name, address, and Social Security number. Protections include:
- Basic identity information, including name, address, and identification numbers
- Web data, including IP address, location, cookie data, and RFID tags
- Biometric data
- Health and genetic data
- Racial or ethnic data
- Sexual orientation
- Political opinions
Is my company affected by the new law?
Read this carefully: The GDPR is a European law, but it applies to any organization, anywhere, that does business with anyone in the EU.
Any company that stores or processes personal information about EU citizens within EU states must comply, even if they do not have any business presence within the EU otherwise.
If any of these criteria apply to your company, you must meet the mandates of the GDPR:
- A presence in an EU country.
- No presence in an EU country, but your company processes the personal data of European residents. Translation: located elsewhere? The law still applies to your company.
- More than 250 employees.
- Less than 250 employees, but your company’s data processing impacts the rights and freedoms of data subjects, is not infrequent, or includes certain types of private data. These criteria effectively pull nearly every company under the umbrella of the law.
When does my company need to be in compliance?
The GDPR became fully enforceable on May 25. If your company collects data about EU citizens, you risk heavy fines if you aren’t meeting its mandates.
What will GDPR preparation cost my company?
A Propeller Insights 2018 survey reports that most companies expect to spend less than $1 million to achieve GDPR compliance. Nearly 40 percent said they would spend between $50,000 and $100,000, and 24 percent said they have budgeted for between $100,000 and $1 million. Only about 10 percent of companies expect to spend more than $1 million, the survey reports.
Are my relationships with third-party vendors and customers affected by the law?
The GDPR places equal liability on data controllers (the entity that owns the data) and data processors (outside entities that help manage the data). Put simply, that means if your third-party vendor is not in compliance, neither are you in the eyes of the law. It’s vital that you ensure that outside companies that process your data meet the mandates of the law.
To avoid being held responsible for another company’s non-compliance, businesses should carefully craft contracts with vendors and customers that spell out their responsibilities under the GDPR, and what they can and cannot do with data. Contracts should also define consistent processes for how data is managed and protected, and how breaches are reported.
How does the GDPR impact cybersecurity?
The GDPR does not provide a checklist of technical capabilities required to achieve compliance but demands “state of the art” cybersecurity measures. With a stated goal of rigorously protecting every EU citizen’s personal data, there is no doubt that covered entities will be held to a high cybersecurity standard.
Cybercrime is exploding at an alarming rate – a business falls victim to ransomware attacks alone every 14 seconds. And with fines that can demand up to 4 percent of your revenue if a breach occurs, an investment in cybersecurity best practices can pay for itself many times over.
Here are four easy steps your company can take to begin to satisfy the cybersecurity requirements of the GDPR:
- Continuously assess security risks. Data can be lost or stolen in many ways, so it’s critical to perform regular checks on all forms of online interaction, including social media, email threads, and website traffic. This will help you identify and secure the areas most vulnerable to a breach.
- Risk assessments can also evaluate how efficiently your network access software is working to halt the spread of viruses, malware, and other malicious factors.
- Move beyond standard firewall technologies. As the world becomes more connected, it increases the potential for clever hackers to infiltrate even the most secure networks. Firewall protection is good, but combining it with a multi-layered cybersecurity strategy is the best way to guard against cyber-attacks.
- Technologies that encrypt unstructured data, automate all manual processing, condense storage into a single location, and reinforce the safety of managed file transfers can help achieve maximum protection.
- Consolidate endpoints with network access. Creating one entry dashboard for all network access endpoints makes it easier for IT teams to supervise and protect the flow of data, control who can move through an endpoint, and improve the detection and response times for suspicious activities. It also creates a secure audit trail for your company.
- Tighten restrictions around data collection and storage. The GDPR is forcing websites to tighten their cybersecurity practices. For instance, it’s no longer OK to assume that someone who visits your website is granting you access to their personal information for marketing uses. Instead, permission must be obtained through affirmative action and crystal-clear language that’s prominently placed on the website.
The GDPR’s new cybersecurity standard is likely to cause growing pains for many businesses as they struggle to understand their responsibilities under the new law. Even so, it is being lauded as a critical step to keep consumer data safe while protecting against ever-evolving cybersecurity threats. Avoidance isn’t the answer – most likely it’s only a matter of time until the U.S. adopts a similar regulatory standard.
An experienced cybersecurity provider can help your company meet the GDPR’s robust security mandates and continue to reap rewards from successful relationships with consumers and business partners in Europe.
CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.