Do US Organizations Need to Comply with GDPR?
The penalties for ignoring the General Data Protection Regulation are significant. Failure to comply with these new compliance regulations can result in a fine of up to $24,000,000 USD (€20 million) or up to four percent of your company’s annual “global turnover” for the preceding year, whichever is greater.
The General Data Protection Regulation (GDPR) was passed into law by the European Union Parliament in April 2016, with an enforcement date beginning May 25, 2018. With the deadline quickly approaching, organizations are running out of time to determine whether and how the regulation applies to them. If it applies to you, how will you implement changes in your IT processes that may be necessary to comply with the requirements?
These reforms will give European consumers new rights and control over their personal information. The GDPR will also impose new obligations on businesses regarding the extent to which they collect personal information. These reforms not only cover data collected from EU citizens, regardless of where they reside, but also individuals who reside in the EU, regardless of their nationality. To understand where you stand, you need to ask yourself the following questions and make the accompanying provisions:
Does it apply to us?
It is easy for American companies to mistakenly ignore GDPR as an “EU Regulation.” However, any American company that already does (or is looking to do) business with companies or customers in the EU or UK will be required to show that they are fully compliant. As we move towards a global economy, doing business “anywhere and everywhere,” it becomes critical for competing businesses to demonstrate full compliance with all data-related regulations.
Any organization that decides why and how personal data is processed is a “data controller and /or processor.” The GDPR applies not only to businesses in the European Union, but also to all organizations outside the EU processing personal data for the offering of goods and services to the EU, or monitoring the behavior of “data subjects” within the EU. These organizations should appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.
Are additional dedicated Data personnel required?
The role of the DPO includes informing and advising the controller or processor and relevant staff of their obligations regarding the General Data Protection Regulation, and any other relevant data protection provisions. They must also monitor compliance with the GDPR and internal policies relating to the protection of personal data.
A Data Protection Officer (DPO) is to be appointed for organizations that are:
- processing data by a public authority or body (excluding courts).
- the core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.
- the core activities consist of processing special categories of data in Article 9 or 10 on a large scale.
EU Member States may also make the appointment of a DPO mandatory by law under other circumstances that they may define.
How does this affect cross-border data flows?
Data transfers to any of the 28 EU member states are still allowed, as well as to Norway, Liechtenstein, and Iceland. Transfers to any of the other 11 countries the European Commission (EC) deemed to have an “adequate” level of protection are also still possible. Outside of these areas, appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., EU “Model Contracts”) should be used.
When selecting or evaluating data processors outside the European Union, EU-based data controllers should pay specific attention to new mechanisms under the GDPR in order to ensure appropriate controls are in place. Outside of the EU, organizations processing personal data on EU residents should select the appropriate mechanism to guarantee compliance with the GDPR.
Should we prepare for data subjects exercising their rights?
Data subjects have extended rights under the GDPR. These include the right of access, the right to be forgotten, the right to data portability, and the right to be informed (e.g., in case of a data breach). If your business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls.
What do we need to do?
Very few organizations have identified every single process where personal data is involved. Going forward, purpose limitation, data quality, and data relevance should be decided on when starting a new processing activity. This will help to maintain compliance in future personal data processing activities. Organizations must demonstrate an accountable ground posture and transparency in all decisions regarding personal data processing activities. Outside parties must also comply with relevant requirements that can impact supply, change management, and procurement processes.
It is important to note that accountability under the GDPR requires proper data subject consent acquisition and registration. Prechecked boxes and implied consent will be left in the past. A clear and direct action is needed to require organizations to implement streamlined techniques for obtaining and documenting consent and consent withdrawal.
Demonstrating Accountability
The following objectives are critical to demonstrate accountability in all processing activities:
- Identify and classify personal data
- Implement a governance plan for personal data
- Establish procedures for personal data management
- Protect personal data through specific security measures
- Implement specific notification, records maintenance, and reporting procedures
- Implement and carry out ongoing new awareness of global security risks and business practices training
You need to optimize your company’s ability to meet the articles of the GDPR, specifically those that relate directly to document handling. The Contentverse Enterprise Content Management (ECM) solution provides the tools to streamline your processes and meet these requirements.
These are the fundamental requirements of an ECM solution that facilitates all relevant articles of the GDPR:
- Ability to store and secure any file format within a structured repository, enabling pseudonymization by applying encryption, fully protecting documents at rest and in transit. In addition, after decrypting, individual areas of data can still be obscured using redactions so that partial information remains secure to all but a designated number of individuals.
- Having stored the information, provide a comprehensive security schema, based on your Net Operating Security Schema’s (NOSS) Users and Groups. This schema allows designation of who gets access to what, as well as what they can and cannot do with it once they are granted access. This simplifies control, responsibility, and accountability for the Data Protection Officer (DPO), Controllers, and Processors.
- Provide secure access from anywhere at any time.
- Designated users with access must then be able to quickly and easily identify all relevant data using a comprehensive array of search options, regardless of file format. This includes but is not limited to:
- quick find or Advanced Search with combination and conditional search criteria
- providing full text search capabilities on all image, text and other file formats
- identification by location and document type
- identification by metadata values complete with conditional parameters, dates (creation, modification), author, and version/revision.
- Once identified, specific documents data can be shared internally and externally with or without exporting, transmitting, or copying documents. This includes password-controlled access for user defined specified time periods. This significantly limits the risk of unauthorized data breaches.
- The ability to apply to a document an unlimited number of authorizations, directives, guidelines, and observations (comments). These are also full text searchable.
- For all users, regardless of access rights and document permissions, fully automated audit trail records are generated.
- Fully automated version/revision control is available.
- Where automated workflow is required, an unlimited number of workflow processes can be made available, together with automatic notifications.
- Full report generation capabilities facilitating document listings, workflow instances, and audit trails, complete with report archiving and export options for data mining.
Computhink is transforming business environments with an array of integrated digital business solutions. Our Enterprise Content Management system, Contentverse, alleviates overwhelming information input and related office document processes in a secure environment. Access and interaction from any PC, laptop, tablet, or smart phone responds to the near-instant response demand. Customers experience accelerated proficiency with minimal or no impact to the ongoing formulation, support, and implementation of policies and procedures that address all aspects of compliance, especially GDPR.