Does GDPR Matter If You’re Based in the U.S.?
This is the second piece in a week-long series exploring the implications of GDPR. You can find the first piece here.
How many United States firms are paying attention to what is happening across the pond with GDPR? According to a RealWire survey, only 16 percent of companies in the Americas believe they must comply with GDPR—a percentage far less than the number of companies actually subject to the new regulations. If your company relies on the creation or processing of data to succeed in the marketplace (and what company doesn’t?), then keeping abreast of global GDPR developments—especially the near-term enforcement of EU’s new GDPR rules—ought to drive deliberations in your executive suites and boardroom.
An Inalienable Right
The evolution of GDPR in the EU has taken various twists and turns the past few years, but the bottom line is that Europeans view data privacy as an inalienable human right, and companies handling such data have an abiding responsibility to protect it. Under the EU’s new GDPR regimen, the scope of data considered “private” is much broader than in the U.S., and the new rules grant European citizens considerably stronger legal rights to sue for alleged privacy violation. European consumers now have the right “to be forgotten,” in essence, to have their online footprint expunged.
“The GDPR appears daunting to U.S. companies,” says Kenneth Rashbaum, head of the GDPR Compliance Group at Barton LLP in New York. “But it can be summed up in one sentence: Tell the data subject what you are doing with her data, provide her with certain rights with regard to how you use that data, keep it securely, get rid of it when you have no further need for it and only share it with those you trust to safeguard it as you would. In the wake of the recent Facebook incident, many U.S. companies have implemented, or will soon implement, these concepts on a global scale because global markets will demand it.”
The Revolution to Come
If the world is indeed going to follow the EU’s lead on GDPR, then U.S. companies need to ready themselves for the revolution to come.
We’re at the cusp of that revolution right now. Your company may be U.S.-based, but if you process the personal data of EU nationals, you are still compelled to be compliant with GDPR as of this month, May 2018. If you’re not, you could face some stiff fines: up to 20 million euros or 4 percent of your company’s global turnover, whichever is greater.
“Too many companies have concentrated on trying to find an argument for saying that GDPR does not apply to them,” said Jonathan Armstrong, a partner at Cordery in London who specializes in GDPR and technology policy.
“Almost certainly, GDPR does apply. Companies need to get a properly prioritized plan together.
The key element in GDPR planning is focus. We’ve seen lots of GDPR ‘fake news’ that has distracted attention from the real risks facing companies.
“At the same time, many organizations are swayed by vendors telling them to do the wrong things. Companies must focus on where their big pressure points will be—issues such as data security, how they relate to data subjects, how they handle data properly and how they assess risk. If they can get those four things right, maybe 80 percent of their GDPR program will be done, but the key is focus,” Armstrong says.
Impact on Your Cybersecurity Practice
Mark Mermelstein, the Los Angeles-based Global Co-chair of Orrick’s Cyber, Privacy & Data Innovation practice, worries about GDPR’s impact on companies’ cybersecurity practices.
“To me, what stands out about GDPR is the combination of the speed with which covered companies will need to report a breach—72 hours after becoming aware of it—and the size of the penalties associated with noncompliance. Severe breaches will be subject to potential fines of up to 4 percent of worldwide turnover. Whenever you have a situation where you force disclosure upon the penalty of a significant fine, you get companies reporting, but the quality of the information being reported falls.
“No one wants to be incorrect when reporting a breach, but they also need to report quickly. That tends to result in breach notifications that are vague. So while the spirit of the law is certainly positive, one must ask whether it will result in useful information being shared with the marketplace,” Mermelstein said.
Cybersecurity concerns should be at or near the top of your company’s GDPR preparation list. If your company is not currently able to adequately respond to data breach incidents or subjects exercising their rights, now is the time to start implementing additional controls and strengthen your cyber breach crisis communications plans.
Companies doing the right thing on GDPR have an obligation to share their commitment to privacy protection with customers, prospective customers, business partners, investors and other key stakeholders. If protecting customer privacy is now an integral part of your brand positioning, you need to trumpet it through concerted marketing, earned and paid media and a steady drumbeat on social and digital media.
- Conduct an online survey that invites customers and prospective customers to identify the features that they would like to see in privacy protection policy.
- Appoint a privacy ombudsman to become a visible advocate for the company and the cause.
- Commit the CEO to a series of high-profile initiatives to spotlight the company’s renewed commitment to privacy.
Like it or not, GDPR is coming to a continent near and dear to your bottom line. Get ready for the revolution; it’s already here.