On May 25, 2018, new data protection regulations will take effect throughout Europe. This General Data Protection Regulation (GDPR) will change how businesses are required to notify consumers with respect to their data. The GDPR also expands reporting obligations for companies that experience a data breach. Although the GDPR is specific to Europe, it will also affect some American companies with an overseas business presence.
The key components of the GDPR include:
- Treating IP addresses, cookies installed on a user’s web browser, and other technical DNA as personal data;
- Expanding data protection regulators’ power to issue larger fines for regulatory noncompliance;
- Requiring websites to ask for a user’s explicit consent before using personal data and simplify processes for withdrawing consent;
- Enabling individuals to ask companies to disclose what data they hold and to delete it if desired;
- Giving parents and guardians an option to give consent for use of a child’s personal data;
- Expanding customers’ authority to request data transfers among different internet service providers.
The GDPR is essentially an expended consumer protection bill. These regulations also have a cognate in the United Kingdom under a proposed UK Data Protection Bill.
Implications for American Businesses
U.S. companies that do electronic business in the United Kingdom and Europe will have to comply with new regulations. This is because those regulations cover the personal data of individuals based on their geographical location. The geographical jurisdiction of the company is not the controlling factor.
Preparing for GDPR Implementation
U.S. companies can begin to prepare for implementation of the regulations by focusing on a few general areas.
First, it’s important to note the GDPR defines two classifications of companies that use electronic data: controllers and processors. A company can fall into one or both classifications, based on how they fit into the GDPR’s definition of each.
Second, a company should determine a baseline of its current policies with respect to collecting and maintaining personal data. This includes auditing all current storage processes and deletion policies. Does your company have an explicit policy? If so, are you following it? Is there a way to streamline your data processes? Companies may choose to create a “single view” on users rather than dispersing their data across different storage systems, for example.
Next, an organization will likely need to redesign the disclosure and consent sections of its European and UK web presences. The organization must give European consumers expanded choices to opt out of data collection. And, companies must provide more affirmative information on how they use and collect personal data.
Last, all companies should enhance their data protection technology and prepare comprehensive response strategies. The reporting obligations in the GDPR impose a higher standard on companies to issue notices of data breaches. Failure to comply with those obligations can lead to significant fines.
A cyber insurance policy is one of the more effective response strategies a company can adopt to reduce GDPR risks. Policies provide reimbursement for regulatory fines and third-party liabilities companies may face if they violate the GDPR.
We will not know the full impact of the GDPR until after its enforcement. However, taking a close look at data practices and enrolling in cyber insurance now will give businesses a head start. In the event that you do experience a data breach that compromises consumer data, you’ll be ready to act quickly.