With less than three months to go until the European Union’s General Data Protection Regulation goes into effect, businesses around the globe are looking for information on how to stay in compliance with what’s been described as the most important change in data privacy regulations in the past two decades.
According to a new report released by Pitney Bowes, in partnership with Forbes, businesses in the U.S. run the risk of losing customer confidence if they get ensnared in a GDPR violation. That loss of confidence, coupled with the potential for cancelled contracts, may ultimately be more motivating for businesses than the EU’s financial penalties for non-compliance.
When GDPR becomes enforceable in May, organizations must gain consent for data collection and processing. Businesses must make it easy for individuals to refuse and revoke consent. In certain situations, individuals will also have the right to request that their data be transmitted to other organizations. GDPR stipulates that “data protection should be central in the design of data processing practices,” and that any processing of personal data should be transparent.
Non-compliance within the EU isn’t the only issue at play. GDPR is intended to be a global regulation affecting any business processing personal data from EU residents. That means global businesses in the U.S. and elsewhere around the world need to understand their risk of exposure and how best to mitigate that risk by changing up their data protection practices.
“The rules follow the data, and even if [businesses] are not located in the EU themselves, but end up knowingly collecting any personal data of EU residents, the GDPR will apply,” explained Raymond Umerley, vice president and chief data protection officer at Pitney Bowes.
Although GDRP doesn’t become enforceable until the end of May, Umerley anticipates that there will still be a significant number of businesses that will be struggling with how to determine the overall scope and applicability of the regulations to their businesses. According to a 2017 report by Gartner, only 50% of companies impacted by GDPR are expected to be fully compliant by the end of 2018.
“Those organizations that were already complying with the EU Data Protection Directive, and to a lesser extent the EU-US Privacy Shield framework for data transfers, will be best positioned to meet the regulation requirements, though the work still required to document and verify their processes’ alignment to the regulation and maintain a register of those activities as part of accountability under GDPR should not be understated,” Umerley said.
The biggest obstacle to compliance, for many businesses, will be pinpointing what data they’ve already collected and where that data came from. Although overcoming this challenge is relatively straightforward when the data is static, it will be tougher for businesses that utilize unstructured and dynamic data, such as consumer location. According to the Pitney Bowes report, businesses should consider bringing in outside help, given that it’s unlikely that the knowledge required for compliance exists in-house.
“The definitions of personal data in the regulation are much broader than other jurisdictions,” Umerley said. “It’s extremely important to get awareness about the personal data that you hold, and to document what personal data you have, where it came from, why you have it, where it’s being processed, and who you’re sharing it with.”
GDPR also presents opportunities for global businesses. By complying with the new regulations, organizations can expect to see improved customer confidence and incident response, as well as lower operational cost basis.
The Pitney Bowes report predicts that there will be a strong foundation for innovative products and services spawned by GDPR implementation. For example, a key piece of the legislation forces organizations to understand where their customer data is and how to bring it together. This could drive improved efficiencies around customer service and encourage marketers to get to the point of a single customer view.
“If you haven’t already, you need to get a handle on the personal data you have in your business, a familiarity with the GDPR scope and applicability, and map out a game plan towards compliance where necessary,” Umerley said. “It’s not too late to get started and the risk of non-compliance is simply too great to ignore.”
Stephanie Miles is a senior editor at Street Fight.