New European Union General Data Protection Regulation affects United States businesses
EU GDPR will be enforced effective May 2018 after a two year post-adoption grace period. This raises some concerns about how US businesses might be affected. This is a brief evaluation of all aspects of this regulation in terms of trade with member countries in Europe, and potential impacts on business processes. GDPR will be a new challenge for business owners in United States and actually all over the (cyber) world.
GDPR applies to all companies (regardless of their physical location) which process and hold the personal data of individuals residing in the European Union member countries (Data Subjects).
Global perspective: what others are doing about GDPR?
It is good to know what others are doing about GDPR. Some data from surveys collected in November 2017 gives us an understanding of what is happening in other companies around the world:
- 50% do not know about the impact of GDPR on their business
- 9% of US firms say they have allocated more than $10 million for GDPR compliance
- 77% budgeted at least $1 million to comply with the regulations
- 83% of US privacy professionals expect GDPR spending to be in the six figures
- 61% of US companies did not begin to implement compliance program yet
Which departments are affected, and is that only IT staff that should be worried about GDPR?
Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, you are subject to GDPR requirements.
Depends on your products (goods or services) and business model, simply all departments of a company are affected by this regulation. This in minimum includes but not limited to Marketing and Sales where primary contact with an EU entity would be initiated. Every single marketing email or sales event has the potential of gathering EU citizens information. Any communication with EU member countries virtually through phone, email or websites ends up storing citizens information in some form and fall into GDPR boundaries. The most external layers of a business are the first affected business nodes.
In order to identify the scope of your journey to compliance or even luckily not being affected at all, you need to review your business workflow in deep, and that is a systematic approach rather than blindly jumping only tech-wise in the middle of battle! Today’s businesses are more and more relying on technology and mainly software, but that does not mean you need to start with your tech departments (IT engineering, software development, webmasters…) first. The very first step is to know your workflow. if you already have this piece then your are so ahead of others.
Do you need help implementing GDPR? Do you need a gap analysis?
The answer can easily be determined via a gap analysis but first evaluate the level of knowledge in your organization in regards to regulations and particularly GDPR. Chances are there is a tech savvy with basic understanding of subject, otherwise you have to seek external consultation to do the primary analysis and write a plan for implementation.
For implementation itself, it really depends on the result of analysis. If Systems and Workflows are clearly documented, the implementation will be connecting dots from system to technology. You may need help choosing the technology but that is not a big deal as long as you could define the problem and know exactly what is missing.
Without bright understanding and documented systems and workflows, starting right off the bat with Data Mapping will be tedious and based on company size it requires extra help.
There are some generic actions described mentioned here.