As 2018 begins, businesses are getting ready for the new rules that go into effect in Spring in the European Union. Or they should be. Companies around the globe must comply with the General Data Protection Regulation (GDPR) starting in May if they deal with the data of any European citizens.
The provisions and the need to comply may not be news to European-based companies that have had to comply with the previous EU Directive, a predecessor to the coming GDPR rules. But non-European companies may find that they suddenly must pay attention to these rules or face the consequences -- fines of up to 4% of revenue.
AllAnalytics.com spoke with Lei Shen, a partner at the law firm of Mayer Brown in Chicago and a specialist in transactional privacy about some of the challenges and the status of company efforts.
"There’s a lot to do to get ready for the GDPR," she told me. "As we near the May deadline, we’re definitely seeing a lot more scrambling. While many companies are well underway in their preparation for the GDPR, some companies are just starting to realize how much work is involved to get ready."
Some US businesses may not be aware of what they need to do, she told me, because the EU and the US have different definitions for personal data.
"The definition of personal data is a lot broader in the EU than what is considered to be personal data in the US," Shen told me. "So, for example, business contact information is considered personal data in the EU."
US-based companies may not understand the scope of what is considered personal information by the EU, and therefore they may be underestimating the data that is subject to the rules.
In addition, while US-based companies may not be directly doing business with European Union customers, they are still subject to the rules if any of their subcontractors work with that data, again expanding the scope beyond what some companies may have thought.
If you haven't started your GDPR work yet, you have a big job ahead of you. Even if you have begun, you may want to prioritize your efforts as the compliance deadline draws nearer. With that in mind I asked Shen what she thought was the top area for attention for companies trying to prepare.
"A big one is to do data mapping, especially for companies that weren't subject to the EU directive before and are subject to the GDPR now due to the change in jurisdictional scope," Shen told me. "In order to be able to comply with the requirements of the GDPR, companies need to know where their data is coming from, what consent was given at the time the data was collected, and what purpose the data was collected for. Conducting data mapping will enable companies to identify these factors and also make sure that all of these factors are taken into consideration when processing the personal data."
Companies may also want to reevaluate their data breach plans. Shen said that the EU requires companies to report breaches to a supervisory authority within 72 hours -- a huge difference from the notification timeframe in the US, which is 30 days.
"A lot of companies are having trouble complying with the 30-day requirement, let alone 72 hours," Shen said.
She recommends that companies create a data breach response plan and then practice that plan. Again, data mapping will be an essential component of the data breach response plan because the data mapping will enable companies to more quickly identify what data is on systems that have been affected by the breach.
So if you are a US-based company that does business in the EU, do you create a single compliance plan that follows the EU rules, or do you run two or more parallel plans so that you have more freedom with some of the data?
"We are seeing companies [follow the EU plan] because it's very hard to have multiple databases in place [for data from different countries] and apply different rules to each of those databases," she said. "Companies often take the strictest laws and apply them throughout."
An exception may be companies that operate mostly in the US and only have a small subset of data from the EU. Those companies likely don't want to subject all their data to the stricter EU requirements.