The General Data Protection Regulation (GDPR) will revolutionize how organizations capture, process, and utilize the data they hold on their customers.
Although the new laws will exclusively cover EU citizens, their implications will be felt much further afield. Any business that holds data (including IP addresses and online browsing history) on an EU citizen must be able to show where this information resides and that it was captured with the explicit consent of the individual in question.
The commercial fines for transgression will be severe, but the reputational impact could be greater still.
Moreover, the EU contains a number of lucrative markets for global businesses including Germany, France, and the UK. For its part, the UK will mirror the GDPR in a new set of post-Brexit regulations, so it will remain firmly under the auspices of its rules.
The GDPR is therefore not something that US businesses with international aspirations (current or prospective) can afford to ignore.
The GDPR in a US context
Data protection laws are nothing new, but the context of the GDPR makes its effects unprecedented. We live in an age of big data and complex ad exchanges, making the disentanglement of these networks all the more challenging.
As a result, there is no clear set of steps that a business can take to ensure GDPR compliance.
This challenge becomes steeper still when we assess the role of US-based multi-national corporations. That applies not only to their position with at least one foot outside of the EU, but also to the rather different notion of an individual’s privacy that exists in the US.
“In the EU, privacy is a right; in the US, it is a commodity,” says Peter Milla, Data Protection Officer at Cint. “That makes a significant difference when it comes to GDPR compliance efforts, as the central thrust of its requirements runs contrary to the American definition of privacy.
This tension has surfaced before, most notably in the legal cases of Maximillian Schrems vs. Data Protection Commissioner. Schrems, an Austrian lawyer, made a complaint in 2015 to the Irish Data Protection Commissioner that the data captured about him by Facebook (whose European HQ is in Dublin) was not protected sufficiently when it was transferred to the US, where Facebook’s servers process data. Schrems’ contention was overt: US data privacy laws cannot provide the security that an EU citizen expects and requires.
The Schrems case precipitated the end of the Safe Harbor agreement, which permitted the transfer of personal data from the EU to the US for commercial purposes. Safe Harbor has been replaced by the EU-US Privacy Shield. However this has also been on the receiving end of a significant amount of criticism. Earlier this year, policy advisor Matt Allison referred to the ideological battle that makes the effective implementation of any such legislation so challenging:
The EU’s citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK, and trans-Atlantic companies may be forced into difficult choices about which regime best serves their interests.
Post-GDPR, that difficult choice will no longer exist, but the contrasting theories of the role of privacy will not disappear so readily.
PwC reports that 32% of US businesses plan to reduce their EU presence as a result of the GDPR. However, 64% of top executives plan to create a centralized data center in Europe to tackle this head on and commit to investing in the EU.
US businesses acknowledge that GDPR compliance will be accompanied by some expense, but most see this as a worthwhile investment.
GDPR compliance budgets are tied mainly to people costs
Peter Milla adds that the majority of GDPR-focused budget is spent on getting the right people in place, both internally and externally.
This includes the hiring of staff, with the role of Data Protection Officer taking on a renewed sense of significance. External consultants are also in high demand as businesses seek guidance on where their data resides, where it has come from, and whether they will be found culpable after May 25.
In particular, companies are asking these consultants to perform data protection impact assessments (DPIAs) to test their level of preparedness. DPIAs are applied to a range of scenarios and technologies, from low-risk to high-risk, to verify whether their customer data could be breached. Coupled with the centralization of data centers in the EU, this will help to mitigate many of the most common threats to data security.
These assessments should be familiar under the guise of privacy impact assessments (PIAs), which have been common practice in the US for some time now. While these can be an effective and proactive form of defense, they need to be embedded into the organization if they are to be successful.
It is essential to make sure that these DPIAs are accessible to a wide range of departments within a business, and not just the data privacy specialists. Many companies are engaging with the marketing, IT, and sales departments to complete these tests on a regular basis, with some even developing their own DPIA software.
Technology cannot provide a panacea
Technology plays a key role in compliance efforts, but many larger businesses have resolved to build their own solutions rather than rely on third-party vendors. This comes with the benefit of being tailored to the organization’s unique situation, in contrast with an off-the-shelf product.
Companies are, quite understandably, anxious to ensure that they do not fall foul of the new data privacy laws. That eagerness can be exploited by vendors offering a catch-all solution. However, businesses should resist the temptation to invest in these platforms unless they can provide a tangible benefit.
The reality of the situation is that very few people are in a position to make a reliable call on whether an organization is GDPR-ready or not, if such a concept even exists at this stage. A lot of money will be wasted over the next six months as increasingly worried, if well-intentioned, business leaders spend money on technology to try and guarantee that they will not be hit with a fine.
Until further guidance is provided, it would be more judicious to spend these resources within the confines of what we know for sure at the moment. Compliance will come as the result of an ongoing process, rather than a one-off panacea.
That applies equally to first- and third-party data, of course. It is for this reason that many US businesses are investing in trying to identify the steps in the convoluted data supply chains that underpin so much of the digital economy.
The GDPR references ‘Data Processors’ and ‘Data Controllers’, with both roles bringing their own set of responsibilities. US-based multi-nationals are keen to identify not only where their organization qualifies as a Data Controller, but also which individuals within the business will take on this role.
The third parties that process this data are not exempt from the GDPR, of course. As a result, large businesses are at pains to understand the extent to which their vendors are also compliant with GDPR stipulations. That takes a significant amount of time and internal resource, which comes at a price.
Another reason companies have set aside sizable sums that run into seven or eight figures is that securing these resources at the last minute would be nigh-on impossible. Bearing in mind that there is no blueprint for GDPR compliance and the deadline is closing in, allowing some room for error is a prudent approach.
Key takeaways: the GDPR for US businesses
The potential fines of $22 million dollars or 4% of annual global turnover (whichever is greater) have made the headlines, but they are not the real story.
Ultimately, the GDPR aims to protect EU citizens from data breaches. The Equifax data breach is just one recent example of how damaging these lapses of security can be, with customers the only real victims.
It is worth remembering that the first fine doled out as a result of the 1995 Data Protection Directive did not arrive for more than a decade. That is not to play down the threat of a fine. EU citizens will be entitled to ask to see and delete their data, a right that many will exercise. The EU will likely appoint a specific ombudsperson to manage GDPR-related complaints and they will investigate any claims they receive. It is very conceivable that the EU would make an example of a high-profile company by doling out a large fine, if they have blatantly transgressed the GDPR for commercial gain.
However, US businesses should focus less on these threats and more on the opportunities that the GDPR brings. Given its inevitability, this seems a healthy mentality to adopt. The GDPR will usher in a new era of privacy awareness and will open the door for organizations to implement much-needed reforms. For those that have long wanted to see a more responsible approach to capturing and storing sensitive data, now is the perfect time to make that case.
With the majority of US multi-nationals setting aside more than $1 million to support their compliance plans, it appears that most businesses are prepared to spend to ensure that they make the grade.