You’re a large organization headquartered in the U.S. Your clients and customers live mainly in the U.S. You have no intention to expand beyond the U.S. What could you possibly need to know about new data rules in the EU? Everything, it turns out.
How the European Union General Data Protection Regulation Affects U.S. Businesses
On May 25, 2018, the General Data Protection Regulation (GDPR) will officially replace the EU’s existing Data Protection Directive 95/46/EC, commonly referred to as “DPD.” GDPR is the largest and widest data privacy act in history, and it comes with draconian consequences: up to 20 million euros, or 4% of annual global turnover (whichever is greater). Could EU regulatory tentacles reach across the pond and bankrupt your business?
For more articles on big data trends, download the Big Data Sourcebook.
Gartner thinks it’s possible; it predicts that by the end of 2018, less than 50% of companies affected by GDPR will be in compliance. After all, businesses in the EU are reacting slowly, with some treating it like “check-box compliance,” others thinking it won’t affect them because of Brexit (it will), and a small but notable minority (one in five small and medium businesses) completely unaware it exists.
In observing their EU counterparts’ lackadaisicalness, U.S. companies might assume they will be immune to GDPR. But it would be a mistake not to take it seriously. That will require, however, more than a cursory understanding of the regulation. It will entail grappling with the way the GDPR is fundamentally overhauling large-scale notions of data privacy—and then seizing the moment to improve business practices and create real value.
It Impacts You
Glance at your customer base. If you have a single customer who is an EU citizen, you could be subject to GDPR compliance (Chapter 5: Transfers of personal data to third countries or international organizations). Is there a Fortune 500 company this wouldn’t apply to? The U.S. and EU form the largest and most complex trade and investment relationship in the world. The billions of dollars shuttled between Northern Atlantic shores each day amounts to astronomical totals of goods and services exchanged: $1.1 trillion in 2014.
In the digital world, money exchanged is data exchanged. Instantaneous connections may give the appearance of closeness, but the data that underpins connections can circle the globe, passing through 40 computers and dozens of networks just to travel to a relatively nearby physical point. Commerce complicates the pathways. When you order on Amazon an item located in China from your Apple phone and receive a confirmation email in your Google inbox that you open the next day at your work computer, where is all the personal identifiable information (PII) associated with that simple transaction stored, and who can access it?
What EU regulators understand is that individuals, as they become more aware of the digital revolution’s possibilities and limitations, are demanding increasing levels of control over their data. The new GDPR law that has gained the most attention is Article 17, the Right to Erasure, commonly known as the “right to be forgotten.” Under this law, citizens can request that companies delete their data entirely. While this level of control has always been available, it was limited under the DPD to situations where the data’s existence caused unwarranted and substantial damage or distress. By eliminating that threshold, GDPR decrees that citizens have the right to have their data deleted simply because they want it to be.
From the customer’s standpoint, these rights provide legal means to serve ethical and securitized ends. For businesses, the GDPR is that too—and a data problem-set to boot. In 9 months, when EU citizens begin exercising their right to be forgotten, will you be able to locate their data? And just because you found one entry, how can you be certain you found every entry? What if the customer opted out of an email list a decade ago, and their info got siloed in a remote data outpost somehow attached to sensitive PII and synced to a third-party marketer that was stolen in a breach and floating around the “dark web”?
Or what if, quite simply, the customer ordered a product and called for service before you overhauled your data? Or what if their data lives on a third-party processor without your knowledge? Under the GDPR, the laws will extend beyond data controllers to data processors. If a processor you contract with is noncompliant, you could be too. Businesses that understand data’s infinite, complex pathways will look to solutions like master data management (MDM), the discipline that brings clarity to the murky data waters.
MDM and its related discipline, data governance, have been around for some time. The underlying technology is often clunky to implement, often taking years and millions of investment to complete. Recently, innovative solutions applying new technologies such as artificial intelligence (AI) and machine learning have brought a more intelligent approach that promises to address issues like GDPR more distinctly.
Go to Them Before They Come to You
Is less than 1 year (remember, GDPR goes into effect in May 2018) long enough to adapt to sweeping new regulations? That’s how much time organizations are getting with DPR, though the ones paying attention have been preparing since early 2012, when for the first time in nearly 2 decades, the European Commission proposed reforming the existing data rules. A prime reason to be at the forefront of compliance is figuring out how your organization can handle new laws like Article 37, which requires the appointment of a data protection officer where the core activities of the data controller or the processor involve “regular and systematic monitoring of data subjects on a large scale,” or where the entity conducts large-scale processing of “special categories of personal data.”