The Impact of GDPR on U.S. Companies
What is the EU GDPR Privacy Regulation?
The EU GDPR, is a regulation that lays down rules relating to the protection of EU Personally Identifiable Information (PII) and covers the processing of personal data and rules relating to the free movement of personal data. The impact of GDPR (General Data Protection Regulation) and its compliance mandate requires a new personal privacy protection process for a broad set of companies. Compliance is required by May 25, 2018.
Different from other privacy laws that focus on Sensitive Private Information (SPI), GDPR focuses on any personally identifiable information.
This is a regulation, not a simple directive, carrying the power of law. It must be applied in its entirety across the EU. The GDPR also applies to organizations that are not located within the EU (such as the U.S.), that offer goods or services to, or monitor behavior of data subjects in the EU. About two thirds (2/3) of U.S. companies think that GDPR will apply to them.
The reality is that this regulation has very broad applicability to any company that gathers personal data (not just private data) and processes it such as website “contact us” forms, ecommerce information, social platforms etc., and also applies to commonly collected personally identifiable data such as user email addresses, phone numbers, addresses, cookies, and IP addresses.
Compliance is enforced by fines up to 4% of WW annual revenue or 20M Euros whichever is higher.
Immediate Impact of GDPR on U.S. Companies
So, given the broad scope of GDPR and that it applies to U.S. companies as well, what is the likely short-term impact on companies in the U.S.
- U.S. Companies with a Europe presence will be held directly accountable to be compliant. Demonstration of compliance is mandatory.
- U.S. Companies that have European customers, suppliers, partners will be held to the EU GDPR standard as well. Similarly to those who work with health or U.S. government agencies, you will be asked to comply and are regulated.
- U.S. Companies that collect data on or from European citizens will be held to the Standard. If you collect data and process that data from EU persons, you are regulated too. This can be as simple as “contact us” forms, ecommerce information, social networking or other interactions online or otherwise.
If you are in this group, you need to have someone help you through that process of GGPR compliance.
The Future Impact of GDPR on U.S. Companies
Given the issues related to personal privacy in the U.S. with Facebook, social media companies and from the numerous personal private data breaches reported each year, it is reasonable to assume that regulations similar to GDPR will be passed at the state level and ultimately at the federal level in the U.S. This will leave us is a situation where “in the future every company will be required to be compliant with protecting Personally Identifiable Information (PII) for all persons that we serve”.
This argues for companies to get their houses in order now and provide at least “best practices” level security across their organization. Additionally, the handling of personal data needs to be managed as if it were private data such as SS# or credit card #s.
Impact of GDPR on Small to Medium Size U.S. Companies
GDPR like most cyber security regulations, provides for some relief for small companies. The EU GDPR states that all measures and requirements should be “proportionate to your size, scope and nature”. eSecurity Solutions can help you make those tradeoffs related to solutions for GDPR compliance in your organization.
Getting Compliant with GDPR – The Process
The compliance process requires a series of steps to assess, define, remediate and document your plan. Here is a top level summary.
- Information Audit (PII & Processing)
- GDPR Audit
- Definition of Auditable Units and Gaps
- Security Risk Assessment on Audible Units
- Create Compliance Plan
- GDPR Implementation/Remediation Project Plan (Implement code of conduct solutions, security, training, 3rd parties, policies, procedures etc)
- Test and Document Compliance
- Implement Support Systems
- Continue to Monitor and Update Plan and PII Privacy Solutions
Check out the recent GDPR Compliance Guide