How to Get Your US Business GDPR-Ready in 3 Steps
If you’re not paying attention to the EU’s upcoming GDPR because your operating in the US, you may want to take a look at this to your business ready.
On the 25th of May 2018, the way businesses conduct their procedures and protect any data they hold is going to change dramatically. This change is due to the European Commission Regulation, ‘General Data Protection Regulation’ (GDPR). When this comes into force, it will require all companies to assess and adapt the ways they hold and manage data of individuals. The data in question can refer to anything from a photograph, bank details, medical information to a name or IP address. While the European Commission is enforcing this regulation, it is key to note that it doesn’t only apply to organizations within the EU. It will directly affect any company which offers services, products or holds personal data of EU subjects, which includes those within the US.
This is a major change made by the GDPR is the territorial scope of the new law. The GDPR replaces the 1995 EU Data Protection Directive which generally did not regulate businesses based outside the EU. However, now even if a US-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.
This means any U.S. company that has a Web presence and markets their products over the Web will have some homework to do. The main focus of impact will most likely be U.S.-based hospitality, travel, software services and e-commerce companies.
With this vital regulation coming into play very soon, how can you get your business ready? Below are three steps to take into consideration.
One of the first important steps to take when preparing your company for the new regulation is to ensure that every member of staff is aware of what it means for your business. As a business, regardless of size, it’s crucial you are aware of the new requirements the GDPR asks of you. These requirements may impact the ways certain members of staff conduct their responsibilities and may ask you to change aspects of your website, such as allowing customers to unselect a box allowing you forward their information to third party companies.
A recent Forbes article states that, “this can get more complicated when a customer signs up for a service or buys something. The vendor will need to obtain explicit permission for each type of processing done on the personal data (i.e., email promotions or sharing with third-party affiliates will have separate checkboxes).”
The requirements are set out in the 11 chapters of the regulation. Therefore, it’s essential you read through the document thoroughly. Outlined in the regulation are the following points which are key to take note of:
- Article 17: Right to Erasure – Also known as ‘Right To Be Forgotten.’ Data subjects can direct a controller (a company such as yourself) to erase their data. The controller is legally obligated to delete as per the customer’s
- Article 31: A specific requirement of any data controller is that you must notify Supervisory Authorities (SAs) of a data breach within 72 hours. You must also provide details of the breach and the number of subjects affected approximately.
- Article 32: A data controller is required to notify any subjects whose data may have been breached as soon as possible, especially if the breach of data means their freedoms and rights are at high risk.
- Article 35: Any company which holds and processes specific data including health, race, ethnicity, religious beliefs and genetic data must appoint a Data Protection Officer.
- Article 45: This article includes international businesses and how they hold and store EU subjects personal data. It holds them to the same requirements and regulations as an EU company. For information, read this useful infographic on the GDPR regulations provided by Sage.
- Article 79: Outlines the penalties for non-compliance (which is discussed in depth below).
3. Compliance & Penalties
The GDPR also brings with it increased penalties for any company who is found to be non-compliant. The SA can impose fines on any company who is failing to comply. These fines are dependent on the circumstances, yet may be up to 4% of a business’s annual turnover, or €20m – whichever sum is greater. Compliance with the new GDPR includes enhancing the rights of data subjects. Therefore, for a company, it means that you have to ensure the Right to Erasure (as mentioned above) is enforced, as well as allowing individuals a copy of any data which you currently hold on them.
So, yes, US based businesses who have a web presence in the EU will most definitely want to pay attention to the new GDPR rules and regulations to stay ahead of any issues that may come out of this new legislation.