If you’ve been a privacy professional at any point in the last few decades, your head is spinning with the myriad of privacy laws and regulations in the U.S. and abroad. Some examples are the European Data Protection Directive of 1995, the strengthening of that directive in 2012, the French Data Privacy Law of 1978, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) of 2001, and last but not least, the U.S. Gramm-Leach-Bliley Act (GLBA) of 1999. During this period of overlapping privacy laws, it was difficult to determine what law, regulation, or directive you had to follow and what took precedence when trying to conduct business in Europe, the U.S., or Canada.
Fast forward to today: the General Data Protection Regulation (GDPR), adopted by the European Parliament in December 2014, went into effect on May 25 of this year. But what is it and what does it mean to you? You’re probably wondering: “should I adopt the GDPR requirements even though it does not cover my business?” or “what can my clients and I do to ensure initial compliance and long-term inclusion in our compliance management program?” Read on to determine the best steps for you and your company.
“What is it and why should it matter to me?”
The GDPR applies to any entity – even if located outside of the European Union, whether for profit or nonprofit – that offers goods or services or monitors the behavior of EU residents. It should matter to you if your company or client processes or stores the “personal data” of EU residents, even if the company is located outside of the European Union. Personal data is defined under the GDPR as any data “that can be used directly or indirectly to identify the person”. Essentially, if you have customers or employees based in the European Union, you need to investigate the applicability of complying with GDPR.
“Should I adopt the GDPR requirements even though they do not cover my business?”
Even if your company is not based in Europe, the GDPR was written with the intention of grabbing companies outside of the European Union and forcing compliance. GDPR has a noncompliance penalty of up to 4% of annual global revenue. The best practice is to work toward compliance until more legal guidance is issued. This guidance can come in the form of lawsuit challenges to the regulation or additional, newly created regulatory frameworks. Many companies, realizing that segregating data generated by European Union residents can be difficult, opted to create universal privacy policies that apply to both U.S. residents and European residents.
We see more and more of our clients adopting a stricter security posture and choosing to comply with GDPR even though they are not required do so. With the potential for regulatory fines, reputational risk, and market risk, companies are becoming more cautious and opting for stricter data requirements in their compliance programs.
“What can my clients and I do to ensure initial compliance and long-term inclusion in compliance management programs?”
With GDPR, there are notable compliance requirements for every applicable company: clear consent, data breach reporting requirements of 72 hours or less, the right to know how the data is being used, and the right for it to be forgotten.
Establishing compliance to GDPR is similar to other regulations in that the following key steps are taken:
- Identify the compliance requirements that apply to your company
- Perform a gap assessment against the controls that currently exist
- Implement additional requirements
- Measure, monitor, and report to ensure company compliance
Another, and arguably most important, piece of compliance is the inclusion of the GDPR requirements in your ongoing compliance management program. The GDPR requirements, remediation activities, and process steps can be incorporated into an existing compliance management process. This ensures that there is proper awareness, sufficient controls, and regular reporting to appropriate levels of leadership. Due to the size and scope of the risk of non-compliance, it is recommended that quarterly compliance reporting is provided to C-suite executives, as well as to the Board of Directors.
“We don’t have a compliance management program yet, now what?”
If your company does not have a compliance management program, GDPR provides the opportunity to create one by identifying all requirements that apply across all applicable laws, regulations, and directives. In doing so, a company can establish clear accountability to implement compliance measures and create a continuous process to manage, monitor, and report progress. To ensure a robust management program is created and repeatable, Impact Makers recommends establishing a compliance program management office, and corresponding organizational change management activities, to reinforce the importance of the compliance measures.
Companies should not panic about GDPR! All indications are that early enforcement will target the bigger fish first. However, all applicable companies should be compliant or moving towards full compliance soon. For regulatory requirements in general, it is better to be conservative and add too many compliance requirements than have gaps where you could become susceptible to regulatory violations.
If this article resonates with you, and you’re interested in a conversation to gain a better understanding of your company’s current needs, or your company requires help in adopting regulatory-compliant policies and procedures, Impact Makers can provide you with the services to adapt your compliance management program. Woods Rogers can provide counsel on the legal issues associated with privacy compliance.
About the Authors
Shannon Yeaker is a Lead Consultant in the Information Security and Risk Management service area at Impact Makers. In this role, Shannon has developed extensive experience and expertise in Security Controls, Process and Program and Management, and Risk Management and Mitigation.
Beth Waller, an attorney at Woods Rogers PLC and Chair of the Cybersecurity Practice, counsels clients in the midst of data breaches on cybersecurity preparedness and on privacy concerns. She also helps clients with international business on compliance with privacy regulations as well as cybersecurity preparedness.