The European Union’s General Data Protection Regulation (GDPR) has really already arrived. But it officially goes into effect in about three and half weeks on Friday, May 25th. In preparation, some companies have been mapping out all of their processes across their entire company, and aggressively revising and documenting procedures, so that they are compliant with the GDPR as they capture, store, share, manage, and/or delete personal information of any European citizen with whom they are doing business. The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
It may be a sweaty sprint over the next few weeks for some to try to meet the deadline. What is there to sweat? There is a tiered penalty approach with the maximum that organizations can be fined being up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is greater. (Roughly $24 million USD.) Essentially, if you want to conduct business in Europe, it's best to just comply.
This Forbes article, GDPR: Is Your Company Ready?, explains that ignoring GDPR is simply not an option for any size company whose business touches the personal data of EU citizens in any manner. It is just the beginning of a new era of much stricter data regulations too! We are already seeing countries like Australia and Canada moving towards nearly the same requirements.
According to that same Forbes article, companies need to do three things after realizing that they should get going immediately:
- Understand GDPR and the requirements
- Assess the company's risk
- Leverage GDPR to improve internal security practices
There was a recent report from Ovum that showed that almost 60% of U.S. companies expect to face fines for noncompliance. According to their research, "over 50% of global businesses believe they will be fined as a result of the GDPR. If we break this down by country and region, it means that 62% of German companies, 59% of U.S. companies, 53% of UK companies, 42% of French companies, 56% of ANZ companies and 32% of South American companies think they will be fined as a result of the GDPR." Most people believe that regulators are likely to be more lenient if you can demonstrate a good faith effort to comply.
While many IT departments are leading the charge towards compliancy, this is a project that every team in the organization is likely to be involved with. In this article, Christine Lyon, a partner at Morrison and Foerster, a law firm in Palo Alto, California explains, "HR plays an important role in this process. Many people believe GDPR is an IT and security issue, though HR is one of the key data capture centers, and many of the requirements in the regulation affect how the company captures and disseminates data about its EU employees and recruits. There are a lot of opportunities for HR to take leadership roles in responding to GDPR. HR understands the importance of data privacy and regulatory compliance, and they know how employee data is managed." This is exactly what global mobility managers and teams should be considering: how are they processing and passing information to partners and how are those partners handling the data?
This Workforce article, GDPR Is Nearly Here. Are You Ready? claims that GDPR boils down to two main issues:
- People have the right to their own personal data, even if it is collected by an organization
- Privacy needs to be embedded throughout every data handling process in an organization to ensure compliance
Hopefully this is the 25th article and not the first one that you have read related to GDPR!
“It represents a sea change in the way companies will manage data,” Dittersdorf said. And U.S.-based companies are not immune. According to a report from Ovum, the financial technology company, two-thirds of global businesses expect the regulation to force changes in their European business strategy. While the regulation was approved in April 2016, companies are still scrambling to achieve compliance by the May 25 deadline, said Christine Lyon, partner at Morrison and Foerster, a law firm in Palo Alto, California.