As of May 25, 2018, the European Union’s Global Data Protection Regulation (GDPR) data protection law extends to all companies processing data of EU residents, including businesses based in North America. GDPR creates a new set of digital rights that puts the consumer in control of their personal data. The comprehensive mandate requires more than just managing a customer database. Information in marketing, human resources, IT and supply chain may also be affected. And with significant fines for non-compliance, GDPR cannot be ignored. In this article, we have summarized 10 common myths about GDPR to help North American business leaders understand how the regulation impacts them.
1) GDPR doesn’t apply to North American companies
Yes, it probably does. If your company does business with European citizens, you need to pay attention to GDPR. Did you have an Austrian citizen purchase a ticket and travel on your airline? Did you have a German citizen book a hotel through your website? Do EU citizens order merchandize from your company website? Did your hospital treat a Belgium citizen visiting the U.S.? Do you have suppliers based in an EU country? If you answered yes to any of these examples, GDPR may apply – no matter where the transaction happens.
2) We look at the GDPR fines as a cost of doing business in Europe
The EU Parliament made non-compliance an expensive proposition. There are 37 finable articles and companies can be fined a maximum of up to 4% of their annual revenues or €20 million (approximately $25 million USD) against each article. There is a tiered approach to fines so the maximum penalty may not apply to the first violation. However, if a company repeatedly ignores GDPR regulations, the fines will be substantial and the local Data Protection Authority can suspend a company from data processing.
3) We don’t have any EU residents in our customer database
GDPR applies to both structured and unstructured data, which means it affects more than just traditional databases. Unstructured data includes emails, photos, word processing documents, presentations, webpages and video files. It is also information that does not traditionally reside in a row/column format. Experts estimate that 80-90% of data in any organization is unstructured. And unstructured data usually grows exponentially when compared to the growth of structured databases.
4) North Americans aren’t as worried about protecting their data
Customers care about their data. In the U.S., 59% of internet users said their most concerning issue about their online usage is cybercrime such as having money or personal information stolen. Data and privacy breaches cause a lack of trust between you and your customer. Under GDPR, you can only collect the information you need to complete a transaction. Consumers can request to see the details you have on file and correct any mistakes. They can also ask you to transfer data to another organization under certain conditions. GDPR puts control of personal data in the hands of the consumer.
5) Companies outside the EU can wait to report a data breach
In 2017, Equifax security systems were compromised and their database breached. It is estimated that the names, addresses, Social Security Numbers and credit card numbers of more than 140 million Americans were accessed during the attack. Equifax waited six weeks before it reported the breach and the extent of the data accessed may never be known. Under GDPR, a company has 72 hours to report after a breach has been detected. In fact, the Data Controller has a legal obligation to notify the authorities within this timeframe. Companies are also required to notify people affected by the breach. The most fundamental principle of the GDPR is the obligation to process personal data “lawfully, adequately, accurately and securely.”
6) As long as we don’t have a person’s name, we can collect information on EU citizens
GDPR expands the definition of personal data and a person’s name is not considered the sole identifier. Photos, medical records, financial status, fingerprints, banking details, social media posts and more can be used to identify a person. It can relate to a person’s personal or professional life. If you are collecting information on EU citizens that could be used to identify them, you need to comply with GDPR.
7) We made the font size bigger on our consent form
There are no more “tick” boxes on lifetime consent forms. GDPR strengthens the condition of consent in favor of the
consumer. The days of small type and scrolling through a massive amount of text are gone. Companies will no longer be allowed to use consent forms filled with legal jargon that is incomprehensible to the average person. The request for consent must be in clear and plain language in a format that is readable. For sensitive personal data, only the “opt-in” option will be considered sufficient for consent.
8) The “Right to be Forgotten” will just mean we delete a record
Under GDPR, consumers are given control over their data and this includes being “forgotten” by a company. However, depending on how you use the data, simply deleting a name may not be enough to get rid of all the identifiers or may impact other data in your systems. The right to be forgotten needs more planning than a delete key.
9) We can wait to appoint a Data Protection Officer (DPO) once we have a breach
While not every company requires a DPO under GDPR, it is recommended they are appointed as quickly as possible. It can take up to one year to perform data analytics and review culture behavior to drive process change in most large organizations. The DPO required under GDPR is a serious position and can either be an employee or third-party contractor. They need to have expert knowledge on data protection law and practices, must have appropriate resources to do their job and keep up-to-date on security, report to the highest level of management and not have any conflicts. They also need to maintain a Data Protection Register and report all data breaches.
10) Our IT department will figure it out by the deadline
GDPR affects more than just your IT department. It impacts business processes across an organization. Business change is going to be part of becoming GDPR compliant. According to Dimensions Research in 2017, 61% of U.S. privacy professionals have not begun their GDPR implementation and 98% say they require additional investments to comply. The same survey showed that 23% of large U.S. companies expect to spend more than $1M to comply with GDPR. It is a significant investment of time, resources and budget and it cannot simply be handled by IT. GDPR is about establishing good data privacy practices.
Written by Philip Higginbotham, Principal – Insights & Data Practice at Capgemini and Philip A. Jones, North America GRC Practice Leader – GDPR COE at Capgemini