Knowing how GDPR is different from the regulations your company is already compliant with will help determine the problems you still have to solve. Contrary to what people often believe, U.S. companies could get badly burned by GDPR, because international treaties are in place, believe it or not. So how can you avoid the unbelievable fines?
In the heart of the whole GDPR stuff lies individual privacy protection. All Europeans consider data privacy a basic human right. As it circles around the net: If the founding fathers knew that snapchat was on its way, they might just have written it into the constitution. Something like “life, liberty, and the right to be able to erase those awkward pictures with Ben Franklin.”
As an American, you may be asking yourself, “Should my company worry about these laws?” After reading the following, you should be able to answer this question with confidence.
Since most companies of any size are most likely already compliant with some sort of regulation, the good news is that the infrastructure and processes are in place and compliance with GDPR will not require a reinvention of the wheel. Knowing how it’s different from the regulations your company is already complying with will help determine the gaps that exist between the two. Two aspects of GDPR that differ from US regulations are the scope of the data covered and the rights that are granted to citizens.
Scope of GDPR
Firstly, it is important to mention the extraterritorial clause in GDPR which makes clear that a company’s geographical location has nothing to do with the jurisdiction of GDPR. Whether a company is in Calgary or Calcutta, the rules still apply.
The scope of the data protected under GDPR is quite broad. Generally, it covers any information that can help identify a person in any possible way. The obvious categories such as SSN and DOB are covered, but so is GPS data, IP addresses, browser tokens, etc. If your company collects or stores any of these, it is going to be subject to GDPR sanctions.
Rights
As already stated, data privacy is considered a basic human right for Europeans. Under this umbrella are the rights of portability, erasure, and the right to object. Portability concerns a company’s ability to produce the data when directed and to use it across multiple devices. Erasure refers to the right to be forgotten. Finally, the right to object deals with consent (i.e. the 10 pages of EULA that everyone automatically accepts).
If your company’s systems could cross paths with a European’s data, compliance with GDPR should be a priority due to the size of the sanctions related to enforcement.
Sanctions in GDPR
Each member state designates a data protection authority to enforce GDPR. In the case of a data breach, or failure to comply with GDPR, companies can be fined up to 4% of annual global revenue, or €20 Million, whichever is more. This fine is not necessarily levied only after a breach. It could come from a failed audit. There is a lower tier penalty for lesser infractions that caps out at 2% and €10 Million, which could come as a result of simply failing to produce appropriate records for the enforcement authority.
For the especially severe violations listed in Art. 83, para. 5 of the GDPR, the fine framework can be up to 20 million euros, or in the case of a company, up to 4% of their total global turnover in the previous fiscal year, whichever is higher. But even the catalogue of less severe violations (Art. 83, para. 4) sets forth fines of up to 10,000,000 euros, or, in the case of a company, up to 2% of its entire global turnover of the previous fiscal year, whichever is higher.
What is a breach and what actions are required by GDPR?
One of the more drastic and controversial elements of GDPR is the requirement to report a breach within 72 hours of becoming aware of it. A company must not only notify the authorities, but also the data subject (individual), depending on the degree of harm that could come of the breach.
This is one aspect of GDPR that some states in the US have already addressed, albeit in a patchwork fashion. What’s more, it was addressed on the federal level by DFARS clause 252.204-7012, which contains a 72-hour reporting window. However, this is for security incidents involving controlled unclassified information (CUI) in execution of government contracts, and alas, doesn’t include the location of your grandmother’s GPS enabled wheelchair.
Avoiding the burn
So how can your company avoid the existentially threatening fines of GDPR? Develop a plan, either with your internal staff or with a third-party expert. These will make it easy to avoid the scenario from the title – U.S. companies could get badly burned by GDPR.
To find gaps and protect data, a full current state analysis of your systems should be conducted globally. Privacy impact assessments and risk analysis should be conducted. Current documentation such as system security plans, disaster recovery plans, incident response plans, etc. should be reviewed in light of this new context.
In general, thare are three steps you should take immediately:
- Find the Data: Many companies do not understand the full data flow of their business, and how it affects the rest of their systems. Many systems are segmented into silos based on business functions, such as marketing and sales. One single missed sales record of a European citizen could already be cause for fines.
- Track the Data: Heads from all departments must come together and determine what personal data their departments currently use, what will they use in the future, and to discuss how all this data affects internal business processes. The business case needs to be made to executives that data protection is worth investing in and budgeting for.
- Make Technical changes: There likely will need to be some changes to software systems, and so change management meetings will need to be conducted. GDPR addresses encryption and pseudonymization of data, so these capabilities will need to be added to systems in many cases. Most importantly, data loss prevention (DLP) capabilities and data governance strategies must be included in any GDPR security plan.
- Personnel changes: GDPR explicitly requires a company to employ a data protection officer (DPO). There are no specific requirements for this position, except that the DPO should have expert knowledge of laws and regulations addressing data privacy.
What to do with WordPress websites?
WordPress is currently used by over 27% of the world’s websites, which makes it more then just “a system”. Many small companies use it, for pricing and simplicity of use. And many of those run ecommerce business of a kind, meaning they deal with customer’s data. If they have any chance of accepting an EU citizen into the database, they are already under the GDPR law and must fully comply with it. Luckily, WordPress itself as well as developers around the world made sure there a a number of more or less easy options to comply.
While WordPress presented a partial solution with its version 4.9.6 (specific privacy settings), it’s far from enough for GDPR compliance. Hence, new plugins are coming that can in fact cover the most important parts of the GDPR compliance and will be really helpful to any non-techy website owner.
WordPress GDPR Fix plugin
We’ve checked two of the plugins that seem to be the most valuable to you. Remember, if you own any WordPress sites, we strongly suggest you take a close look at this; for initial pricing of under $20 a WordPress GDPR Fix plugin can take many hours of your work away and secure the basic 7 mandatory things that GDPR requests.
Don’t forget to check them out HERE.
Recent Comments