By now, it isn’t news that the General Data Protection Regulation (GDPR) deadline is looming. By May 25, 2018, companies that collect data from any European Union resident — in effect, any company with a website — need to be compliant with one of the toughest sets of data privacy rules enacted yet. GDPR has major implications for companies everywhere, as it effectively sets a new, stricter baseline for online consumer data protection.
GDPR hails an online world order in which the bar for data privacy regulation compliance is significantly higher than it has been before. Gone are the days of adding data collection fields just because you can, holding onto personal data ad infinitum, and not really knowing what personal customer data has been downloaded onto which device. Companies must be able to define a specific reason for holding each piece of personal data, track and retrieve that data through its entire IT infrastructure, and respond with lightning speed to any data breach.
While it’s not yet clear how hard regulators are going to come down on noncompliant organizations, the penalties laid out are significant: fines of up to 4 percent of annual global revenue or €20 million, whichever is larger. That’s not to mention erosion of consumer trust, which can have bottom-line implications for years. (The U.S. is already the least-trusted country in a recent Intralinks Ovum Report survey for protecting privacy.) It’s also important to note that typical business insurance likely will not cover the cost of fines under GDPR, so if you were relying on that to protect your company, you need to think again.
Although GDPR has been three years in the making, the majority of companies report being unprepared to comply with it. Here are six steps for companies that haven’t yet started on their compliance journey:
1. Assess your company’s data practices.
It’s amazing how far personal data about customers can travel through a company’s IT ecosystem. Even if your CMS is secure, personal data can end up on employees’ computers and other unexpected places. Make sure you understand how your workforce is currently using data, and institute policies to regulate where data can go and how long it can be stored. You should also assess your reasons for collecting and storing different types of data, as GDPR requires that you have a legitimate business or contractual reason for having customer data.
2. Appoint a data protection officer.
For some companies, this person’s sole job will be to regulate data within your infrastructure. In smaller companies, this person may have other duties as well. The data protection officer should be charged with understanding the regulatory environment around data — not just GDPR, but for U.S. companies, state regulations as well. If there’s a data breach, the data protection officer will be the point person to communicate with the regulatory authorities.
3. Update external privacy policies.
It’s important to be explicit with customers about how their data is being used, how long you hold onto it, and what steps they can take to request that you delete it. GDPR is intended to make it easier for people to track their personal data by sending “access requests” to companies. These requests can ask companies to erase, export, edit, limit or object to the processing of their data. Be ready to handle these requests when they come in.
4. Train all employees on data regulation.
It’s not enough to update company policies. All employees, from the board room to the mail room, need to understand the critical nature of data regulations and the ramifications of noncompliance. Sometimes the worst offenders for not following data policy are senior managers, so ensure that training happens from the top to the bottom of the organization.
5. Be ready for a breach.
Despite all your best efforts, it may not be possible to avoid a data breach. Unfortunately, tactics like data encryption, firewalls and two-factor authentication aren’t fail safe. It’s best to prepare as if a breach is inevitable at some point. Gone are the days when businesses can take a month or longer to disclose data breaches, as was the case in the U.S. with Target in 2013. Under GDPR rules, companies must notify authorities within 72 hours of discovering a breach if personal data of E.U. citizens has been compromised.
6. Stay ahead of the curve on forthcoming data rules.
The regulatory environment around data is only getting tighter. More laws are coming, and companies should prepare for them. Careful handling of customer data should become a normal part of doing business in the digital world. Your data protection officer should stay abreast of regulations around the world as well as domestically. Don’t assume that geographical distance means regulations don’t apply to your business. In this global digital age, anyone, anywhere is a potential customer.
While data regulation compliance can be an expensive and arduous undertaking, the laws are an opportunity for companies to embark on a much-needed evolution of their data practices. The regulations will force companies to be better stewards of their customers’ data, making them more responsive to customer concerns, more nimble in their storage needs, and more thoughtful in how they use consumer data. Companies don’t have to go through this process alone. A third-party global commerce services organization can provide fraud and risk management as well as global regulatory compliance services to help companies achieve readiness for GDPR and other forthcoming regulations.
Christopher Rence is the data protection officer for Digital River, a global e-commerce, payments and marketing services provider.