But what are they working to comply with, and why now?
The answer is GDPR, which brings significant changes to consumer data protection rules in the EU.
Today we’re taking a closer look at what the GDPR is and what it means for members of our local business community here in the Jacksonville area. Whether your business is small or massive in terms of employee numbers, if you have customers or contacts in Europe, these rules apply to the ways you gather and use customer data today, as well as to how your business reports data breaches among other security and privacy-related issues. Let’s dig in.
What is this GDPR thing anyway?
If you haven’t already heard of the General Data Protection Regulation or GDPR, which the European Union adopted way back in 2016, you’re certainly not alone. However, your business may be directly affected by these new data privacy and security rules changes that came into effect on May 25, 2018. Uh oh, right? Not necessarily…
If this is the first you’re learning about GDPR, don’t worry. Yes, you are behind the deadline, but over 1,000 US and European-based companies (of various sizes in a range of industries) surveyed by the Ponemon Institute back in April showed that a full 40% were not planning to be compliant by the deadline. And, another 8% of businesses did not know when they would be compliant. And some of these are huge multi-national corporations who definitely NEED to be compliant.
GDPR: great or “big, confusing mess”? Depends on who you ask…
Meant to offer European consumers some transparency on how companies they do business with use their data, the GDPR is an extremely complex set of regulations that some experts have deemed “a big, confusing mess.”
That may sound like a harsh critique, but they are not completely off-base.
The regulations are proving extremely difficult to understand for the legal and information security professionals tasked with bringing companies into compliance. And if the experts are having trouble, you can guarantee everyone else is, too.
This law does seek to accomplish many great goals, including allowing consumers more control over their personal data, as well as protecting privacy rights while holding businesses and other organizations who collect and use data more accountable. At the same time, these regulations promise to drive economic growth in Europe, which benefits the entire world economy.
You could face fines for non-compliance, but…
Unfortunately, very few experts are clear on what the GDPR actually means in practice, though it gives regulators the right to impose steep fines on businesses around the world that are deemed noncompliant. The language contained in the law is ambiguous and broad, somewhat on purpose, and it does not offer concrete guidelines for how most organizations should go about complying.
That sounds particularly scary, and many business leaders like yourself have been losing sleep over becoming compliant.
The good news for smaller businesses here in the States is that we do have a little bit of distance from the main GDPR action, and we can watchfully wait for a little while as regulators come online. Most have reported that they’re just not ready to enforce the law yet.
Of course, even if regulators are not ready, some parts of the law relate to users making information requests that you may have to respond to within 30 days if your business meets certain criteria. And, the law also sets a 72-hour reporting requirement for data breaches.
The million dollar question -- is your business affected?
YES. If your business has a physical presence, such as an office or manufacturing facilities, or has clients or customers based within any of the 28 countries that are currently part of the European Union, you are unquestionably affected by the GDPR.
Maybe? Where things start to get trickier are for businesses that collect data over the web. Even if you are US-based and don’t do any direct business beyond the borders of our home country, you need to assure that you do not collect personally identifiable information from EU residents or your company is also affected.
The right to be forgotten
In Article 3, the GDPR states that if you have so much as collected names or behavioral data like website browsing statistics of EU “data subjects” while they were at home in an EU country, your company is subject to the GDPR requirements.
For example, if your marketing team performed a survey through your website, and EU residents responded, those individuals have a right to know what information you have on file about them, as well as ask you to delete the data permanently.
This “right to be forgotten” is central to the GDPR.
Your business has 30 days to respond to the request before the requestor can file a complaint with regulators, which will eventually carry a fine.
“Do I really need to worry about GDPR?”
If you do not want to worry about GDPR, you need to assure that you are never collecting and storing data in any of your systems, including in email marketing databases or other online resources that you access, about EU citizens.
And if your business operates in some specific industries that rely on digital marketing, such as e-commerce, hospitality, travel, or software/technology services, you may be targeting EU citizens, perhaps without even realizing it.
Proceed at your own risk. Specifically targeted marketing to geographic regions that include EU countries also gives you a compliance requirement. You’ll need to cease this type of targeted marketing in most of Europe. If this sounds impossible for your business, you’ll need to comply instead.
How you can comply
Does your business already follow existing security standards like PCI DSS compliance or those created by the National Institute of Standards and Technology? If so, these new regulations won’t actually be too much of a stretch for your business.
If, on the other hand, you’ve never heard of these or any other US-based standards systems, getting your business into compliance with GDPR may seem like a Herculean task.
- Adjust opt-ins and opt-outs. You may also need to adjust some of your web forms to allow for more opt-out options and to include more explicit language about what you do with personal data you collect.
- Create better reporting practices. If you do experience a data breach of any size that involves personal information of EU residents, you must report this breach to regulators within 72 hours. While promptly communicating data breaches to those affected has become a best practice in data security, the GDPR solidifies reporting as a requirement.
Let us be your guide
As we’ve already shown, complete compliance guidelines are still a bit murky, but our team here at Antisyn is well versed in the new regulations. We also keep up with changes to the industry that are quickly resulting from the implementation of these standards.
As regulators get up to speed and more and more organizations come into compliance in the months and years ahead, the security and privacy landscape will continue to shift. We make it our responsibility to pay attention so you and your team can focus on running your business instead of learning about and responding to IT security compliance issues.
If your head is swimming after reading today’s update, we’d love for you to give us a call to discuss your needs. Antisyn is ready to be your full service IT partner right here in Jacksonville.