Sunday, October 29, 2017

How the General Data Protection Regulation (GDPR) Will Impact U.S. Companies

GDPR website
http://ec.europa.eu/justice/data-protection/index_en.htm
The European Union’s 1995 Privacy Directive had strong protection for the privacy of personal data for EU residents and the movement of data across borders. The directive required all EU nations to establish their own laws under its framework. All companies with businesses that collect EU customer data, wherever they were headquartered, were covered by its provisions. The US and the EU established a Safe Harbor agreement to certify that US member companies were complying with EU regulations. The 1995 directive provided strong privacy regulation for many years but now that is changing.

What is the GDPR?

In 2016 the EU passed the GDPR with an effective date of May 2018. The regulation updates the existing procedures under the 1995 directive. Most important, it is a regulation with the force of law, not a directive that directs member companies to establish laws. Industry group Third Certainty (so named because observers believe that today’s third certainty after the traditional death and taxes is identity theft) describes the regulation as follows:

GDPR isn’t a suggestion that companies institute best practices for customer data privacy; it is a directive that could result in fines of €20 million or up to 4 percent of annual global turnover. Not only will all companies in the EU be required to meet the new regulations, but GDPR also is in effect for all organizations that hold or process the data of customers who live in the EU.

In addition, the GDPR site identifies major changes as:
•    The unambiguous inclusion of all companies that process the data of people residing in the EU no matter where the companies are located.
•    Consent to be obtained in a clear and accessible way, free of legalese, and the purpose for processing the data must be explained. It must be as easy to withdrawn consent as it is to give it.
•    Data breaches to be revealed within 72 hours of the company first being aware of the breach. Data processors are also required to notify of breaches without undue delay when they become aware of the breach.

According to the Information Commissioner’s Office in the UK the rights of individual data subjects are:
•    Right to be informed by means of privacy notices
•    Right of access to their data a
nd information about how it is being processed
•    Right to rectification of inaccurate or incomplete data
•    Right to erasure of data where there is no compelling reason for continued processing
•    Right to restrict processing of personal data
•    Right to data portability, allowing subjects to move, copy or transfer personal data easily from one IT environment to another.
•    Right to object to certain types of processing
•    Rights related to automated decision making and profiling that protect against potentially damaging decisions made without human intervention.
notice that cookies are being collected
Cookie Notice from https://ico.org.uk/

The ICO Guide has more detail on these provisions and a “What’s New” page that highlights ongoing analysis. Notice that this information is being provided for UK organizations post Brexit on a site that has one type of cookie notification. The home page of the Financial Times shows another type of notification that is being used under the provisions of the regulation. Notice that this is the U.S. version of the London-based publication that is showing the same notification that is shown on the U.K. and World editions.
notice that cookies are collected
 Cookies Notice from https://www.ft.com/world/us
The individual rights under GDPR are based on the Fair Information Practices Principles discussed in Chapter 17. These specific rights update the 1995 directive by being clearer and more specific.

How Should U.S. Companies Prepare for the GDPR?


It seems the question should really be, “Are U.S. companies preparing for the GDPR?” A study by NTT Security, quoted by Thompson Reuters, found that many decision makers around the world were unaware of the regulation and how it would affect them. Switzerland had the highest preparedness level at 58% of businesses. The U.S. had the lowest level of awareness of the regulation with only 25% of companies believing the regulation would affect them.

The Thompson Reuters post says that the regulation:

attaches to any data concerning an individual residing or present in the EU. Thus, if data is connected to an individual in the EU, the GDPR applies — regardless of where such data is processed. They add that it requires that, “organizations be able to justify their reasons for holding or processing every piece of data in their possession."

Those are sweeping statements, especially in view of the large fines that can result from non-compliance. Steps that U.S. firms should take to comply are outlined by Information Week:

•    Determine whether the firm is a controller, a processor or both. A controller is the entity that determines the purposes and conditions under which personal data will be processed. Since processing includes anything as basic as collecting and storing data, that means that any brand that collects personal data is a controller. That definition is the same as under the 1995 directive. The definition of a processor also does not change; a processor is an entity that processes personal data for a controller. Both controller and processor(s) are responsible for compliance with the GDPR but primary responsibility lies with the controller

•    Audit personal data to ensure that there is a single view of each data subject. This is necessary to be able to “forget” a data subject under the regulation.

This can be a huge task, but Steve Forde of Britain’s ITV advocates viewing it as an opportunity. He finds 3 principles of data collection—transparency, control and value exchange—to be essential in creating trust with customers. Preparing for GDPR is a way to instill this philosophy throughout the organization with the result that customer trust should increase.

•    Redesign what consent looks like for your customers. They must explicitly consent to each use of their data and pre-checked boxes or opt-out requirements are not adequate. The range of data covered and special issues like collecting data from children have been make tighter and more explicit under the regulation.

•    Audit service providers to ensure they meet the requirements for processors. Otherwise the processing they do for a U.S. firm on its data for European subjects will be illegal.

•    There are other requirements like choosing a member state as the supervisory authority, appointing a data protection officer and locating data centers that are legal or technical in nature, but marketers need to be sure that all requirements are being met. Failure to do so could result in loss of access to data of European subjects—everything from contact information to CRM data. For many U.S. brands, that could result in a significant loss of business.

What is the Role of Privacy Shield?

privacy shield image
Privacy Shield prototype
Under the 1995 directive, the Safe Harbor program certified that U.S. companies were compliant with its provisions. That compliance framework has been superseded by the Privacy Shield program. Developed by the Department of Commerce, the service is open to all organizations that are under the jurisdiction of the FTC or the DOT. The framework allows companies to self-certify that they have met the requirements of the GDPR for both the E.U. and the separate Swiss framework.

Companies that wish to certify must have a Privacy Policy that is compliant with the GDPR. Current privacy policies will not conform to the new requirements, which are essentially the rights of individual data subjects listed above. The company must provide an independent recourse mechanism from an approved list that includes agencies like the Better Business Bureau and TRUSTe. The company must provide for verification of its compliance and designate a contact for the Privacy Shield program. Companies that certify under the Privacy Shield program will automatically be removed from Safe Harbor and must remove all references to it from their privacy policy and website.

U.S. Companies Should Move Quickly to Comply with the GDPR.

If this all sounds like a great deal of work, it is. At the same time, remember the advice of Steve Forde from ITV. Trust is essential to ecommerce businesses and being transparent about the way a brand handles the personal data of its customers helps create that trust.

So the best advice to U.S. companies is to move quickly so they do not lose access to the data of their E.U. customers and to do so in a way that creates trust with their customers all over the world.

See the infographic here 

Related Updates

Post-cookie (also called zero data) advertising 
Privacy attitudes vary by country 
Businesses still not ready for GDPR with EU consumer data
Analysis from HBR

No comments:

Post a Comment