• Are You Ready for the GDPR?

  • As many throughout the country usher in Spring, others are wondering how the up and coming General Data Protection Regulation (GDPR) is going to affect the way they currently are doing business within the European Union (EU). 

    The compliance date of May 25, 2018 is quickly approaching.  Do you know the effects on your business?  Are you ready?

    The GDPR is about to change the way that your company needs to manage its customer data, whether the business is located within the EU or not.

    The new regulation is stricter and has new privacy restrictions governing the collection and use of personal data of EU citizens. But it doesn’t apply just to companies based in the EU: Compliance is required for any company that has data on any EU citizens, who number more than 500 million. Chances are, your company falls into this category.

    The key is EU citizen, no matter where they may be within the world. The implications for many can be far-reaching.

    For instance, a United States (U.S.) company that uses cookies when an EU citizen visits their website is affected by GDPR if that visitor data is collected in web form-fills. Any sales, marketing or advertising that involves personal EU citizen data falls under the GDPR umbrella.

    Another example, a EU citizen gets their conference badge scanned at a trade show exhibit booth in Tokyo, and the lead data is then uploaded into a CRM in Denver — that counts. It will not matter where the data was collected or uploaded or where a marketing campaign is launched, as long as it’s data that represents an EU citizen, you’re subject to the GDPR no matter where data is stored.

    Non-compliance is not an option for most U.S. companies- the fines can be up to $24.8 million dollars (€20 million), or 4 percent of annual revenues, whichever is greater.

    A U.S.-based company with operations in the EU can certainly be subject to fines for GDPR violations. And while the situation is less clear for companies without a presence in the EU (but which have data on EU residents), experts say that legal frameworks are in place for enforcement actions.

    Fundamentally, the GDPR aligns the disparate EU nations under one data privacy law and empowers EU citizens with new rights to guard their privacy.

    GDPR introduces new requirements for companies in several key areas:

    • Right to data access. EU citizens have the right to request and receive detailed information on what data your company possesses on them and how it’s utilized.
    • Data portability. EU citizens have the right to ask that your company transmit their data to another company, making it easier for them to switch to a competing service or product provider.
    • Right to be forgotten. EU citizens can demand you delete all information you have on them (called “data erasure”) and can revoke consents they might have given you previously.
    • Breach notification. Applying to both data controllers and processors, this requires that EU citizens be notified within 72 hours of a data breach that might compromise their privacy.

    Not unlike many of the U.S. regulations regarding privacy and data sharing, all companies should be rethinking the processes of collection and sharing of data. Review mechanisms to identify those consumers who are EU citizens and secure their explicit consent for data collection. Similar to the Office for Civil Rights (OCR), you will need to establish processes to any GDPR-related requests from EU citizens and be able to notify them in the event of a data breach.

    Judith is an accredited Certified HIPAA Professional (CHP) and member of HIMSS. Owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. 

    Follow JAL:

    Twitter @ judithconsult 

    Instagram judithconsult  

    “Copyright” © JAL Consulting 2018