When you do business on the global scale, complying with all the required regulations can be tough. Foreign countries can and do apply their own rules to companies that do business in their area.
One of the latest of these regulations is the General Data Protection Regulation, which will be enforced on U.S. companies starting May 18, 2018. It applies to any company that handles the personal data of EU citizens. Personal data includes names, addresses, telephone numbers, email addresses, credit cards, financial or medical information, social media posts and IP addresses. The basic requirements are as follows:
1. Companies will not be allowed to bury consent for use of personal information in the middle of their terms and conditions, but must explain it clearly and separately. Also, consent to use private information has to be opt-in, not opt-out (no pre-ticked boxes, for example).
2. It must be made as easy to withdraw consent as to give it.
3. You will be required to notify all customers within 72 hours of becoming aware of a data breach of any kind.
4. Customers have the right to obtain a copy of any personal data you are holding, where it is being stored, and what it is being used for. The copy must be received in a commonly used format.
5. GPDR enshrines the “Right to be Forgotten” – which means you need to ensure that you erase data, prevent further dissemination, and request that any third parties cease processing if the customer withdraws consent or if you no longer need the data. (This can be trumped by public interest – for example, HIPAA health record requirements).
6. You have to include data protection in any new system as a design parameter, not adding it later.
7. You have to process and hold only the data you need and give it only to employees who actually need access to it.
8. You cannot process the data of children without consent from their parents or guardians.
So, what should companies do? Given this affects anyone holding data – in fact, you cannot avoid it by not doing business with EU citizens as all you have to do is have a website that uses cookies and can be accessed by somebody in the EU to be affected. Penalties for non-compliance can include fines of up to 4% of global turnover or €20 million (this is the maximum for serious infringements). Fines are tiered and the rules apply to both controllers and processors.
So, companies should consider the following:
1. Updating training of employees so that they understand how they have to handle personal data. Many companies may find it easier to apply the EU-specific rules across the board.
2. Appointing a Data Protection Officer. Some small companies may find this unnecessary (or prohibitive), but having a person who is assigned simply to understand the GDPR requirements and your infrastructure may help not only with GDPR compliance, but with public relations. Some companies are obliged to have a DPO – it depends on how much EU citizen data you are handling.
3. Putting in place proper data breach notification policies to make sure that customers know if there has been a breach.
4. Writing a proper notice of privacy practices. If you are in healthcare, HIPAA compliance is similar.
5. Doing a data audit. It is very important to know exactly what data you are collecting and using and whether you really need to keep and hold all of it – remember that you cannot have an embarrassing breach of be fined if you are not storing the data in the first place.
Many companies fully expect to be fined as they may not be able to reach compliance in time. For smaller companies, doing a full data audit and possibly assigning a DPO may be close to prohibitive in time and expense. If you are going to be affected by GPDR, then you should contact PointClick Technologies in order to get the help you need to be ready and compliant by May.