The Green Sheet Online Edition
September 26, 2016 • Issue 16:09:02
GDPR: Why it affects businesses even outside of the EU
The General Data Protection Regulation (GDPR) will become effective in May 2018 for the European Union's member and treaty states; however, if you are a U.S. business with EU locations or otherwise receive the personally identifiable information (PII) of EU citizens (EU PII), these regulations apply to you. Incorporating the requirements into your existing policies and procedures or creating new ones should begin now.
Location, location, location
Many U.S. businesses have questioned the need to comply with this foreign policy, multiple factors have contributed to the necessity, including the recurring element of location.
Where the location of your corporate office once dictated the requirement to follow EU guidelines, it no longer applies. If you collect or receive any EU PII and control what it is used for or where it is sent, you are considered a controller, who under the GDPR, must provide "adequate" protection and abide by the "Principles Relating to Processing of Personal Data." This includes ecommerce business and applies to any PII processed, whether or not by automated means.
In addition, if you are a U.S. business receiving EU PII, you will need to maintain a U.S./EU Privacy Shield certification through the U.S. Department of Commerce, which serves as substantiation to the EU that, at a minimum, your business complies with the principles of protection and individual access rights, which are taken from the same principles applied in the GDPR (and the current Data Protection Directive). After September 30, 2016, U.S. businesses must have a Privacy Shield certification to legally receive EU PII.
Consider, too, that if your business suffers a breach, it is the residential location of the customer or employee that determines breach reporting and consumer notification requirements. The same can be said for the breach reporting laws in 47 U.S. states, so regardless, all businesses today should be prepared to report breaches and send consumer notifications within strict deadlines and in accordance with the applicable state or country laws. Per the GDPR, the timeline for notification will be 72 hours; is your business currently prepared to meet this challenge?
@h2The principle idea
The GDPR principles predicate many of its requirements. The principles require PII to be processed transparently and only for a specified, explicit purpose. Businesses must only collect PII that is minimally necessary for their purpose, keep it up to date and accurate, only keep it in an identifiable form until it is used for its specific purpose, and maintain appropriate security throughout processing.
Many of the same regulations stipulated by the GDPR are becoming laws in other places, such as in our own individual states – Massachusetts, Michigan, Oregon, California, etc. – but thus far, only on a limited scale. Most U.S. businesses, therefore, will be unprepared to collect explicit consent, provide data access, including a request to be forgotten, or have a destruction schedule in place that is based on the conclusion of use for PII instead of their customary storage procedures.
In addition, while some states may only require an employee to be designated for a security program, the GDPR sets out an entire standard related to a data protection officer (DPO). This is not to say that all American businesses will need to start operating under EU standards simply because they may receive an occasional customer from the EU. The decision to incorporate, or not to incorporate, the monumental changes essential for compliancy should be made at the highest level of the company.
The Not So Small Stuff
The following marks three of the major GDPR elements triggering strategic planning by U.S. companies.
- Choice and consent
The most recognized types of businesses that request consent to collect PII include websites, apps, medical offices and employers. Websites and apps generally have a check box that must be "unchecked" if the individual does not wish to give consent. This is called "opt-out." A doctor's office and employer, however, require your signature or have you check a previously empty box; this is "opt-in." The GDPR only allows for "opt-in."
When asking for consent, the controller must clearly and conspicuously state who is requesting the consent; what PII will be collected and its purpose (all purposes must be consented to); if the information will be disclosed to a third party, and either who that party is or what type of company it is; if the PII will cross international borders; that they may withdraw their consent at any time; and more.
- Data access and the right to be forgotten
EU individuals also have a "right of access," which allows them to request copies of all PII you have regarding them, rectify their PII, request for it not to be processed or to transfer the PII to a different controller. One of the most publicized decisions related to data access rights is the right to be forgotten, in which case the controller must ensure that all PII, including that which has been transferred to third-parties, is removed.
You need to be able to respond to these requests within 30 days and have policies in place dictating who will be allowed access to the records and how identification of the individual making the request will be verified.
- Data protection officer
There are several activities that mandate a company hire a DPO, but this particularly applies if your core activities include processing of high-risk data or large-scale monitoring activities. The DPO must have expert knowledge of data protection laws and be able to objectively assess the processing of PII, evaluate the severity of risk, assure the data protection provisions and policies are adhered to, and provide training.
Experienced and qualified DPOs are in high demand, but you may hire one on a consulting basis, if appropriate. Even if a DPO is not mandatory, DPOs are recommended to provide expert knowledge, guidance and implementation of appropriate compliance measures.
The time is now
With the above-referenced information only acting as an example of a few GDPR requirements, and the Privacy Shield certification required now, all relevant U.S. businesses should begin these time- and labor-intensive preparations to become compliant as soon as possible. Be sure to consult with a privacy professional to ensure your compliance with the new laws.
Lorie Schrameck, CIPP/US, is Manager of Operations at CSR Professional Services Inc., the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Lorie can be reached at . For more information or assistance in learning about the regulations applicable to you or your merchant customers' business, contact CSR at 866-294-6971 or online at www.csrps.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.