The GDPR: What You Don’t Know May Hurt You
If you’re unaware of these new data protection and privacy requirements – or don’t know if they are relevant to your business – you definitely have a problem.
And you’re not alone.
According to a recent poll, 51% of U.S. organizations are either unconcerned about the GDPR or unaware of its relevance to their businesses. Although 27% of respondents said they were concerned about the regulations, these folks had yet to develop a compliance plan.
The Rules Reach beyond Europe
Adopted by the European Parliament in 2016, the GDPR requires companies that process the personal data of EU citizens to implement strict new data privacy and protection measures. Even if your company does not have a physical presence in any EU nation, it must comply with the regulations if it stores or processes information on EU citizens (or subcontracts those tasks).
The list of regulations is lengthy, but here are a few highlights:
- Organizations must provide a “reasonable” level of protection for personal data. (The definition of “reasonable” is TBD.) In addition to names, addresses, etc., companies have to safeguard: IP addresses and cookie data; health and genetic information; racial and ethnic data; and data on political opinions and sexual orientation.
- The data breach notification rule states that if a breach occurs, it must be reported to the supervisory authority within 72 hours. If the breach poses a high privacy risk for the affected individuals, they must also be informed.
- Upon the request of a “data subject,” organizations must correct any inaccurate or incomplete information in their databases.
- Individuals have a right to be forgotten. This allows people to request the removal of personal data from your files if they withdraw their consent or can prove that there’s no longer a compelling reason to continue processing it.
- Companies must appoint a Data Protection Officer (DPO) if they process or store large amounts of EU citizen data or special personal data, or if they routinely monitor data subjects or qualify as a “public authority.”
Costs of Compliance and Noncompliance
Failing to comply with the GDPR could trigger fines of up to €20 million or 4 percent of global annual revenues, whichever is higher.
Achieving full compliance may not be cheap, either. A 2017 survey by PwC found that 77% of U.S. companies planned “to allocate $1 million or more on GDPR readiness and compliance efforts – with 68% saying they will invest between $1 million and $10 million and 9% expecting to spend over $10 million ….”
If your company hasn’t already done so, it should immediately determine whether it stores and processes data on EU citizens. If so, evaluate whether enhanced data protection tools are needed and allocate additional resources for GDPR compliance.
Although playing by the new rules may be burdensome, it could also prove a blessing in disguise.
A survey by Varonis Systems found that 74% of businesses believe GDPR compliance will give them a competitive edge by increasing consumer confidence that data is properly secured and private. This finding could be especially significant for U.S. firms. Another survey found that, when it comes to privacy rights, the U.S. is the least trusted country on Earth, behind even Russia and China.
A GDPR-based marketing strategy that successfully alters that perception might give your company a competitive boost.