The deadline for General Data Protection Regulation (GDPR) compliance is May 25, and it imposes strict new rules regarding customer data protection that businesses must adhere to or face stiff penalties. GDPR strives to establish a new standard for consumer data rights, causing many businesses to scramble in changing their policies and infrastructure to comply.
GDPR was adopted by the European Parliament in April 2016, effectively replacing data protection standards from 1995 that many consider outdated. All 28 EU member states must adhere to the provisions consistently. The impact is outside of Europe, as well. American companies and other overseas businesses will likely modify their European strategy. Per an Ovum report, 85 percent of American companies see themselves at a disadvantage to European companies with the implementation of GDPR.
Additionally, since many companies based outside the EU process personal data of European residents, they are required to comply with GDPR. The worldwide impact of GDPR is not to be understated.
How GDPR will impact your business depends on some factors, including your location and number of employees. The looming deadline certainly means all businesses should evaluate whether they comply.
Who GDPR Impacts
GDPR has a ripple effect on the world’s business market. Still, GDPR’s compliance has a specific criterion. For one, the business must have a presence in an EU country or process the personal data of European residents, which most major businesses do. The company must also have over 250 employees. If they have less than 250 employees but its data-processing still impacts the rights of data subjects, they must adhere to GDPR.
In reality, the strong majority of companies impact the rights of data subjects, so effectively nearly all companies in the EU and an ample number internationally are feeling the impacts of GDPR compliance.
How Your Business Can Prepare for GDPR
With a deadline date, businesses have time to prepare for compliance. For specific job titles with the most responsibility, GDPR cites the data controller, data processor and data protection officer as those with pivotal responsibilities for ensuring GDPR compliance.
Under GDPR, the controller and the processor must designate a data protection officer, with the duty to oversee GDPR compliance and data security strategy. Some public offices like law enforcement may be exempt from having a data protection officer, though the strong majority of EU businesses now require a data protection officer.
The Price of GDPR Compliance
GDPR will have a substantial monetary impact, especially on international businesses. A PwC survey finds that 68 percent of U.S.-based companies anticipate spending $1 million to $10 million to meet GDPR requirements, and 9 percent expect to spend more than $10 million. It’s one of several reasons that American businesses feel they are at a competitive disadvantage due to GDPR.
As for the monetary cost of businesses in the EU that do not comply with GDPR, it can be steep. Specifically, GDPR authorizes penalties up to €20 million or 4 percent of global annual turnover, whichever number is highest, for not complying. Oliver Wyman finds that the EU may collect as much as $6 billion in fines the first year alone.
It’s not yet clear how the EU will assess penalties for not complying. There are still a variety of businesses, especially overseas, that are relatively unaware of GDPR. Although it’s unlikely that every business not complying will be handed a fine, it’s likely that enough will face fines to the point of serving as a cautionary tale to others. Regardless, it seems certain that a number of businesses will be handed fines very publicly, to remind the public of how GDPR is a pressing matter.
Data and GDPR
GDPR’s primary emphasis is the handling and storage of personal data, which includes basic identity information like name, address and ID number. Other data GDPR concerns itself with is biometric data, health and genetic data, racial or ethnic data, sexual orientation and political opinions. GDPR covers most forms of personally identifying data.
Many are curious how GDPR will relate to data storage platforms, which store data uploaded by users though with encryption. “Digital Destiny: How the New Age of Data Will Transform the Way We Work, Live, and Communicate,” a book by Shawn DuBravac explores the emergence of storage platforms over hard drives and how that impacts the technological landscape as a whole. “We don’t keep things locked in our hard drives, instead we let services like Dropbox store them for us, just as a bank stores most of our money.”
In 2018, businesses can expect to see many questions answered regarding data storage and how storing it locally differs from remotely in the eyes of GDPR.
The Impact of GDPR on Your Business
Overall, the impact of GDPR on your business will likely require substantial modifications to how you process, store and protect your customers’ data. From now on, storing personal data of EU residents is only legal when there’s consent. Additionally, businesses must erase personal data upon request and report data breaches within 72 hours to supervisory authorities.
In preparing for GDPR, ensure your business has appointed a data protection officer, inform stakeholders on the changes prompted by GDPR, implement a thorough risk assessment and have a plan in place to report your GDPR compliance. These precautions will help to mitigate risk.