GDPR: Way Bigger than the EU and Looming Large

For the last year, Symantec and other cyber security companies have urged customers to prepare for the May 25, 2018 arrival of the General Data Protection Regulation (GDPR).

Yet with the new reality almost upon us, are companies in fact prepared for GDPR?

There has been no dearth of emails, written white papers, hosted webinars, sponsored events, web pages, ads and infographics, and more—all to raise awareness of the global impact of this new European Union (EU) framework for data protection laws. But the message is still not getting through.

“We predict that 80% of firms affected by GDPR will not comply with the regulation by May 2018,”

Forrester Research recently concluded in its “Predictions 2018: A year of reckoning” report. “Of those noncompliant firms, 50% will intentionally not comply—meaning they have weighed the cost and risk and are taking a path that presents the best position for their firms. The other 50% are trying to comply but will fail.”

Why would GDPR apply to your US-based company? If you’ve been holding back on GDPR compliance because you’re assuming that it won’t apply to your company, it’s past time to rethink that assumption.

Yes, GDPR is an EU initiative. But GDPR clearly departs from the data protection directive (95/36/EC) it replaces by expressly extending EU data protection laws to businesses outside the EU. And while the directive was applied inconsistently, EU member state by member state, the new ‘regulation’ automatically becomes part of each EU member state’s legal framework.

GDPR applies when a business ‘processes’ personal data (the EU notion of personally identifiable information) of anyone in the EU, for the purpose of offering them goods or services—whether there’s payment or not—or monitoring­ their behavior. This is true no matter where the company is based, or where the data is processed, or whether the data is collected or processed automatically or on demand.

GDPR even applies to companies that have no direct EU customers, but who may process EU personal data via their customers who, in turn, interact with people in the EU.

The particulars of activities targeted by GDPR are still a little fuzzy. For example, putting up a website that people in the EU can access is not likely, by itself, to constitute ‘offering [them] goods or services’ if the website is not clearly intended for EU use. On the other hand, if your website uses an EU language or EU currency or mentions EU customers, your company likely falls within GDPR’s purview.

GDPR applies to personal data collected on ‘data subjects who are in the Union.’ This suggests that GDPR protects the personal data of anyone ‘in the Union’ at the time their data is processed: EU citizens, residents, tourists, any other persons passing through; physical presence is key. The potential pool of affected data subjects is thus much larger than just EU citizens.

All this essentially makes GDPR a global law—one that applies to an extraordinarily broad swath of humanity and business.

OK. GDPR may apply to your US-based company. But what about enforcement?

You probably know that GDPR comes with onerous penalties: Offenders can be fined as much as 4 percent of total global revenues or €20 million (currently around $25 million), whichever is greater. 

But how does an EU regulator fine a US company under an EU law that has no US counterpart? Like this.

For US companies with a physical EU presence, it’s pretty clear that EU authorities can directly enforce GDPR, just as they have with other laws. You’ve probably heard about several high-profile cases in recent years, such as last year’s record $2.7 billion antitrust fine levied against Google.

Other US companies actively conducting business in the EU may be required to designate a local ‘representative,’ thus making it easier for a member state to enforce data protection laws.

Jurisprudence: EU courts, too, can rule against US companies. Again, there are many examples of this.

International law: EU regulators can issue fines according to international law. Combined with cooperation agreements between US and EU law enforcement agencies, it seems likely EU regulators can not only fine US companies for GDPR violations, they can enlist US authorities as their enforcers.

Forewarned is forearmed: If you’re among the 80 percent of affected companies headed for noncompliance, it’s in your best interests to audit your data protection policies as the first step in becoming GDPR-compliant.

And remember that the heart of GDPR is simply to protect personal data. Doing so will help ensure your company remains a trusted provider to customers and staff. Who wouldn’t want that?

 

If you found this information useful, you may enjoy:

• General Data Protection Regulation final text
• Countdown to GDPR
• Symantec Control Compliance Suite and GDPR