Why Should You Care about GDPR?

Recent EU Law Signals an Approaching Wave of Data Protection Regulations

It has been a little over a year since the European Union passed its sweeping General Data Protection Regulation (GDPR). Since its implementation, enterprises across Europe and closer to home have been scrambling to bring their operations into compliance. Google was the biggest name to feel the bite when regulators fined the tech giant 50 million euros for allegedly convincing users into giving up personal data through processes they did not fully understand. The fine remains the largest yet levied under the new law.

Enterprises on this side of the Atlantic might ask what all the fuss is about if they don’t do business on the European continent. It is worth keeping in mind that the internet does not necessarily recognize international borders. Organizations with a web presence may be doing business with and gathering the personal data of visitors from across the globe — a fact illustrated by the Google ruling. More importantly, other government regulators in the U.S. on both the state and federal level are taking note of developments across the pond and have, as is the case of California – with the California Consumer Privacy Act (CCPA) – implemented or proposed similar and even more expansive regulations. Any entity handling and storing user data would be wise to keep an eye on such developments, as they will have far-reaching implications in the months and years to come.

What is GDPR?

Adopted by the EU in April 2016 and implemented in May 2018, GDPR imposed comprehensive set of provisions to protect privacy, personal data and online transactions taking place in the EU. GDPR replaced the 1995 EU Data Protection Directive, which did not cover enterprises based outside the EU. With GDPR, even a U.S.-based business without employees or a physical presence in an EU country may still fall under its regulatory umbrella.

GDPR places control of personally identifying information (PII) that a company gathers under the control of the individual to which that information belongs. Companies must comply with all requests and permissions regarding an individual’s PII. GDPR ensures that users know and understand the personal data companies collect from them and that they consent to sharing it. The regulations also make it easier for individuals to retrieve their PII and either amend it or delete it altogether.

Most U.S. companies doing business in the region have already encountered these regulatory changes when asked by European partners to modify business agreements or demonstrate compliance. In the early months of 2018, users of numerous online platforms where flooded with terms of service updates. Though they may not have known it at the time, this was a direct response to GDPR.

GDPR is different from other privacy laws in that it is the first data protection regulation that places an emphasis on individuals’ rights. GDPR applies to any enterprise, regardless of location, that collects or stores personal data about EU residents. Any of the following criteria place a company within the jurisdiction of GDPR:

• The entity has a physical presence in the EU

• If it doesn’t have a physical presence but offers products or services to EU residents

• If it doesn’t offer products or services but monitors EU residents’ online behavior

Why U.S. Businesses Need to Plan for GDPR

U.S. businesses are wise to keep an eye on developments on the European continent for number of reasons. Whether they know it or not, they may already be doing business in the region and servicing European users or clients through the internet. Big companies learned the hard way that they ignore such developments at their peril.

Laws like GDPR presage similar legislative action here in the U.S., both on the state and federal level. Those tracking the regulatory climate have taken note of patterns in which successful policy programs have a ripple effect through all levels of government. On the heels of GDPR, as mentioned earlier, California took the lead domestically by instituting the California Consumer Privacy Act (CCPA). The California law goes into effect in January 2020 and, like its European cousin, will place significant restrictions on how companies handle, store, and use consumer data. CCPA also sets new standards for corporate transparency, allowing consumers to download collected data as well as letting them opt out of the sale of their PII. Those who fail to comply face penalties of up to $7,500 per infraction.

Many observers expect U.S. lawmakers to follow the lead of states like California in the coming years and enact federal data protection guidelines on the European model. While there are already provisions for notification and data transparency regulations like HIPPA, GLBA and FINRA, newer regulations like GDPR go a step further by ratcheting up the level of government oversight. In the wake of recent and occasionally combative public hearings with tech executives on the subject of data privacy, U.S. lawmakers have begun proposing a host of new data protection bills. Now is the time to for companies to take a hard look at how they handle user and consumer data – or risk being caught off guard – much like Google did.

How to Protect PII

In this escalating environment of data regulation, few businesses appear prepared for the coming wave. Security and compliance firm TrustArc recently surveyed 250 corporate privacy specialists from companies with 500 or more employees. The survey found 86 percent of respondents had not completed preparations that would bring their companies into compliance with CCPA, such as designing complex tools to identify and organize collected data while providing consumers with easy access to delete or modify it. The cost of compliance can be daunting — 71 percent of respondents to the survey said that they expect to spend at least six figures, while one-fifth anticipated expenditures of over $1 million.

U.S. firms remain equally unprepared for GDPR, which has been in place for nearly a year. Brian Vecci, a technology evangelist for Varonis outlined the problem saying, “You’ve got companies sitting in the Midwest of the United States that, because someone from the EU signed up for their newsletter, are suddenly subject to one of the most onerous privacy regulations ever. It cuts across all verticals. It doesn’t just impact financial organizations, or hospitals. If you have PII from one of the 28 member states, then it impacts your organization. ”

The following steps should be part of any organization’s compliance strategy when it comes to data protections regulations like GDPR and CCPA:

Appoint a DPO: Proactive enterprises are taking the step to designate a data protection officer (DPO), who is responsible for maintaining legal compliance with GDPR and similar data regulations. The ideal DPO has the necessary technical knowledge or staff to secure data and maintain business continuity along with a strong understanding of privacy and compliance issues. Typically, a DPO would operate independently of the employing organization.

Assess your compliance posture: Take inventory of you company’s readiness, highlighting areas of most concern. A good place to start is to determine what collected data fall under regulations like GDPR and CCPA. Many companies will have to design new data tracking systems in accordance with regulatory standards.

Plan ahead for a possible breach: In the case of GDPR, companies have just 72 hours to report a data breach. That’s not a lot of time. When a data breach occurs, the affected enterprise needs to know which parties to contact and what information to provide. Companies waiting for their first breach to a figure this out are flirting with disaster.

Valeo Networks has the collective expertise to identify the risks small to medium-sized businesses face in today’s complex regulatory setting. Our data security experts understand and stay abreast of the current and developing guidelines and they can assist you in bringing your enterprise into compliance. We provide gap analysis of organizations to identify exposure to potential data security threats and help formulate plans and procedures to prepare for the possibility of a data breach.

Contact info@valeonetworks.com  for a free assessment of your organization’s data protection status. You can also call us at 800-584-6844 for a free consultation.