The EU's GDPR – What Does it Mean for U.S. Based Firms?
As the deadline to the GDPR steadily approaches, it is important to start preparing for the regulation if you haven’t already. In case you aren’t aware, the EU took a major step to protect their citizens’ personal data and privacy rights by instating the EU General Data Protection Regulation (GDPR), which is scheduled to go into effect on May 25, 2018. However, just because the GDPR is an EU regulation, it doesn't mean that U.S. based firms are exempt.
Any firm, even those based in the U.S., that monitors the behavior of EU citizens must comply. This means that even if your firm doesn’t do business in the EU, but has a website or a form that collects data on EU citizens, you still need to comply. Failing to adhere to the GDPR will lead to files of up to 2 million euros or 4% of global annual turnover, whichever is greater.
Consent is more challenging to obtain than previously before. Now under the GDPR, consent mechanisms such as email opt-ins must provide data subjects a very clear explanation of what they are consenting to, and consent must be voluntary and of an opt-in nature.
Responsibility has shifted. In the past, your firm was not held responsible for enforcing vendors’ and third-party partners’ use of data and privacy protection.
Definitions of key terms have changed. GDPR has broader definitions of “personal data” and a “personal data breach” than most.
Additionally, because your firm is now responsible for how vendors and third parties store your data, your firm must ensure that your cloud provider has adequate protections in place. Firms should revisit existing cloud agreements and ensure they meet EU data privacy standards. This can be a time-consuming process, so you will want to begin the negotiation process if you have not already. Additionally, firms need to update their privacy clause on their website to reflect any changes made, and include all the ways you may potentially use their data now and in the future.
Have a Written Information Security Policy (WISP) in place. A WISP can protect your organization and provides a safeguard against data theft and legal damages.
Use data auditing solution to audit your data access and permissions. Permissions are often too broad, and making them more rigid can reduce your chances of a data breach.
Consider using a data classification engine to detect personal data and sensitive data on your network. Pay attention to how this data is stored, used, and shared.
Additionally, following the EU-US Privacy Shield can help firms navigate the regulation. The Privacy Shield is a program where participating U.S. companies are deemed to have adequate protection, and can therefore facilitate the transfer of EU data. For more information on how the EU-US Privacy Shield will fit the GDPR, stay tuned. We will be posting a blog about it on Thursday, January 11th.
Although it can be overwhelming to make sure your firm is compliant, there are resources available to make your job easier. For more information. checklists, and guidelines on the GDPR and how it affects U.S. based firms, read our whitepaper, "The Deadline is Coming: What U.S. Based Firms Need to Know about the GDPR". Additionally, using a third party or vendor as a resource can be extremely helpful and provide expertise where your firm may be lacking.
Most importantly, your firm must be ready for the GDPR by May 25, 2018, otherwise you may be subject to massive fines. That may seem like a long time away, but some of the preparations can be time consuming and your firm needs to be thorough. To ensure that your firm is compliant or for additional guidance, contact Eze Castle Integration for an evaluation.