6 Facts about GDPR Compliance Regulations You Need to Know

  • by Noah Ramirez, JD / CIPP
6 Facts about GDPR Compliance Regulations You Need to Know

What is GDPR?

By now, you’ve likely heard of the General Data Protection Regulation (GDPR), but you may not understand all of its implications, especially if your company operates outside of the EU. The GDPR is often referred to as the biggest and most significant change in data privacy regulation in 20 years. Its goal is to transform how organizations in every sector handle consumer data, putting consumers in the driver’s seat. For the first time, people have a say over who collects their personal data, when it’s collected, and how it’s used.

With this regulation, companies can’t just clean up the mess and say sorry after a data breach. They can’t collect and use consumer data without oversight or plainly-worded disclosures. They have to prove they are following the GDPR requirements to protect that data on day one. Transparency is the name of the game, a new notion to many organizations that have traditionally put data privacy on the back burner, much less tell consumers how they handle their data.

While the GDPR changes may seem overwhelming right now, the long-term results are expected to be better customer experiences and greater trust between consumers and companies.

6 Facts about GDPR

Rumors are swirling about GDPR requirements, so we decided to put together six facts you need to know now. Plenty is riding on compliance. At least one global survey found 85 percent of U.S. companies believe the GDPR compliance regulations put them at a disadvantage with their European competitors, yet the same survey discovered the U.S. is the least trusted country for respecting privacy rights. Even more, 67 percent of U.S. consumers agree the U.S. should do more to protect their data privacy. Clearly, compliance with the GDPR could do much to improve these negative perceptions.

1. The GDPR May Be An EU Mandate, But It Impacts Every Country

The EU Parliament approved the GDPR in 2016 to replace a data protection initiative from 1995, but the changes weren’t enforced until May 25, 2018. There’s a misconception across the pond that U.S. companies that don’t do business with European companies are exempt. Not so fast.

The GDPR changes apply as much to organizations in other countries as they do to those within the EU. If any organization, EU or otherwise, offers goods or services to or monitors the behavior of EU data subjects, they’re on the hook. As EU GDPR.org puts it, “It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”

What types of data are protected under the GDPR?

  • Basic identity information (including name, address, email address, etc.)
  • Web data such as location, IP address, cookie data, and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation
  • any information that relates to an identified or identifiable living individual

2. You’ll Have to Designate a Representative in the EU

Most companies outside of the EU must designate a representative in the EU if they don’t have an existing presence there and process personal data of EU residents. This means if your U.S. company sells products online to customers in the EU, or even if you just have visitors to your website from the EU, you have to comply. The designated representative is there as a contact for EU supervisory authorities and data subjects and to maintain processing records.

If you don’t already have an EU-based subsidiary, corporate affiliate, or external data protection officer, you can name an unaffiliated person or entity. Consider a “GDPR Representative as a Service,” where you pay a U.S. company a flat fee to name one of their EU representatives to act as yours, listing them as your EU contact to satisfy GDPR regulations. It’s a fast and easy way to ensure you are covered.

3. There Are Hefty Penalties for Non-Compliance

The GDPR is a complete shift in thinking, and it’s safe to say many U.S.-based organizations are still scratching their heads. While there will be some grace period as companies learn their responsibilities and come up to speed, patience won’t last long. Companies must at least prove to officials that they are actively working towards accountability and compliance. Penalties for non-compliance are tiered and can be as high as 4 percent of global turnover, or $24.4 million, whichever is greater.

4. You Can’t Hide Behind Legalese

Does anyone read the fine print or the pages of data privacy practices? Likely not. Pew Research reported that half of online Americans don’t even know what a privacy policy is. The GDPR changes prohibit companies from hiding behind illegible terms and conditions that are difficult to understand. Instead, companies must clearly define their data privacy policies and make them easily accessible. There’s another caveat: you also have to know and monitor the privacy policies of your vendors... and their vendors to be sure they’re in compliance when they use your EU users’ data because you could be held accountable for their compliance with the GDPR.

5. Breach Notifications Have Time Limits

When a breach happens and threatens consumer rights to privacy, companies are on the clock to report them within 72 hours of becoming aware of the breach. Data processors must notify their customers right away. This may be one of the biggest changes in practice for U.S. companies, where more than half have no incident response procedures in place and nearly 60 percent do not share their data on breaches. Equifax took six weeks to report a breach that impacted up to 143 million Americans.

Consumer patience is running thin. With the GDPR changes, companies who must comply will have to pay penalty fees for such behavior.

6. You’ll Have to Answer to Data Subjects

The GDPR requirements give consumers (a.k.a. data subjects) the right to ask companies for the information they hold on them and companies must be able to give them what they want - within a month. These “subject access requests” will force organizations to know where their collected data is at all times, what data is being collected, how it’s being used by whom, and when it’s being accessed. If the consumer finds an error, the organization must correct the error. If the customer opts for “the right to be forgotten,” the company must erase their data. If the consumer objects to how their personal data is being collected and used, they can object.

Most U.S.-based organizations are behind when it comes to having this data at their fingertips. Big data is big and it isn’t always in the same place. Customer data can be in core operational systems, cloud applications, online file-sharing services, removable media, physical storage cabinets, third-party providers, temporary files, sandbox systems, backup systems, and employee devices, just to name a few.

Ultimately, gaining control over this data benefits both the organization and the consumer. Forbes believes GDPR compliance has five benefits: enhanced cybersecurity, improved data management, increased marketing ROI, boosted audience loyalty and trust, and the opportunity to become the first to establish a new business culture. If that’s not enough, consider the alternative penalty fines for non-compliance. GDPR compliance, therefore, won’t happen overnight and it may be a painful process. But, even as you up your transparency game, you’ll gain visibility into your vendors’ data compliance practices at the same time, forcing all companies to do better or get left behind.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.