You’re a large organization headquartered in the U.S. Your clients and customers live mainly in the U.S. You have no intention to expand beyond the U.S. What could you possibly need to know about new data rules in the EU? Everything, it turns out.
This article originally appeared in Big Data Quarterly*
How the European Union General Data Protection Regulation Affects U.S. Businesses
On May 25, 2018, the General Data Protection Regulation (GDPR) will officially replace the EU’s existing Data Protection Directive 95/46/EC, commonly referred to as “DPD.” GDPR is the largest and widest data privacy act in history, and it comes with draconian consequences: up to 20 million euros, or 4% of annual global turnover (whichever is greater). Could EU regulatory tentacles reach across the pond and bankrupt your business?
Gartner thinks it’s possible; it predicts that by the end of 2018, less than 50% of companies affected by GDPR will be in compliance. After all, businesses in the EU are reacting slowly, with some treating it like “check-box compliance,” others thinking it won’t affect them because of Brexit (it will), and a small but notable minority (one in five small and medium businesses) completely unaware it exists.
In observing their EU counterparts’ lackadaisicalness, U.S. companies might assume they will be immune to GDPR. But it would be a mistake not to take it seriously. That will require, however, more than a cursory understanding of the regulation. It will entail grappling with the way the GDPR is fundamentally overhauling large-scale notions of data privacy—and then seizing the moment to improve business practices and create real value.
It Impacts You
Glance at your customer base. If you have a single customer who is an EU citizen, you could be subject to GDPR compliance (Chapter 5: Transfers of personal data to third countries or international organizations). Is there a Fortune 500 company this wouldn’t apply to? The U.S. and EU form the largest and most complex trade and investment relationship in the world. The billions of dollars shuttled between Northern Atlantic shores each day amounts to astronomical totals of goods and services exchanged: $1.1 trillion in 2014.
In the digital world, money exchanged is data exchanged. Instantaneous connections may give the appearance of closeness, but the data that underpins connections can circle the globe, passing through 40 computers and dozens of networks just to travel to a relatively nearby physical point. Commerce complicates the pathways. When you order on Amazon an item located in China from your Apple phone and receive a confirmation email in your Google inbox that you open the next day at your work computer, where is all the personal identifiable information (PII) associated with that simple transaction stored, and who can access it?
What EU regulators understand is that individuals, as they become more aware of the digital revolution’s possibilities and limitations, are demanding increasing levels of control over their data. The new GDPR law that has gained the most attention is Article 17, the Right to Erasure, commonly known as the “right to be forgotten.” Under this law, citizens can request that companies delete their data entirely. While this level of control has always been available, it was limited under the DPD to situations where the data’s existence caused unwarranted and substantial damage or distress. By eliminating that threshold, GDPR decrees that citizens have the right to have their data deleted simply because they want it to be.
From the customer’s standpoint, these rights provide legal means to serve ethical and securitized ends. For businesses, the GDPR is that too—and a data problem-set to boot. In 9 months, when EU citizens begin exercising their right to be forgotten, will you be able to locate their data? And just because you found one entry, how can you be certain you found every entry? What if the customer opted out of an email list a decade ago, and their info got siloed in a remote data outpost somehow attached to sensitive PII and synced to a third-party marketer that was stolen in a breach and floating around the “dark web”?
Or what if, quite simply, the customer ordered a product and called for service before you overhauled your data? Or what if their data lives on a third-party processor without your knowledge? Under the GDPR, the laws will extend beyond data controllers to data processors. If a processor you contract with is noncompliant, you could be too. Businesses that understand data’s infinite, complex pathways will look to solutions like master data management (MDM), the discipline that brings clarity to the murky data waters.
MDM and its related discipline, data governance, have been around for some time. The underlying technology is often clunky to implement, often taking years and millions of investment to complete. Recently, innovative solutions applying new technologies such as artificial intelligence (AI) and machine learning have brought a more intelligent approach that promises to address issues like GDPR more distinctly.
Go to Them Before They Come to You
Is less than 1 year (remember, GDPR goes into effect in May 2018) long enough to adapt to sweeping new regulations? That’s how much time organizations are getting with DPR, though the ones paying attention have been preparing since early 2012, when for the first time in nearly 2 decades, the European Commission proposed reforming the existing data rules. A prime reason to be at the forefront of compliance is figuring out how your organization can handle new laws like Article 37, which requires the appointment of a data protection officer where the core activities of the data controller or the processor involve “regular and systematic monitoring of data subjects on a large scale,” or where the entity conducts large-scale processing of “special categories of personal data.”
Most companies on the scale of the ones subject to the law will already have a data protection officer or something similar. But will that position be in compliance with Article 36, which stipulates, among other things, that the officer be “involved, properly and in a timely manner, in all issues which relate to the protection of personal data,” or Article 39, which lays out the officer’s six tasks, one of which invokes the stipulations of Article 35, the law about assessing data protection initiatives, which itself refers to multiple other articles?
When overseas businesses encounter this thicket of regulations, they might be tempted to just give up. But some are embracing the challenge by hiring employees whose job is solely to investigate GDPR compliance. The need for more data oversight, especially at multinationals with decentralized offices, could be a reason to bring data to the C-suite by hiring a chief data officer (CDO), something Gartner estimates 90% of large organizations will do by 2019.
Thrusting data oversight to the forefront is a smart bet in the age of high-profile breaches, such as 1.5 billion accounts hacked from Yahoo 2 years ago. Breaches can ruin individuals’ lives, damage businesses sales, and erode public trust. In the case of Yahoo, a breach can lead to the largest class action lawsuit in history. Had GDPR been in effect in 2015, Yahoo, with $4.9 billion in revenue, could have been fined almost $200 million.
Can GDPR represent an opportunity? In their most organic state, businesses reject regulations; what enterprise wants to be told to tamp down on the money-making? But, deep down, businesses know they need arbiters of fair play. And the best ones play the rules to their advantage. With the unprecedented GDPR looming, savvy organizations have already started internal audits of data. They are dusting off old servers, peeling away the layers of amalgamated security and storage systems, and planning for the future strategically. They are aware that, although the GDPR won’t undergo wholesale changes for many years, commerce will continue to modernize—cloud computing, AI, Internet of Things, augmented reality, and the end of smartphones. As everything digitizes, data increases exponentially. If it is not safe and secure, it is not valuable.
As businesses undergo the GDPR adoption process, they will discover that their situation is not, in fact, so unprecedented. It was only 15 years ago that the U.S. passed the Sarbanes-Oxley Act (SOX) to protect shareholders, workers, and consumers from corporate accounting fraud. Grown from the disastrous financial scandals of Enron, Tyco, WorldCom, and others, SOX forced companies to keep meticulous, sophisticated data records that were subject to outside audit and came with steep penalties of not just money but imprisonment.
While the legislation passed Congress with near-unanimous support, over the early years of implementation, the law garnered praise and criticism alike. So perhaps it is not striking to see how it continues to get lumped in with other federal regulations as an IT headache. But what such treatment shows is that SOX compliance invariably leads to cost savings and business satisfaction. In one recent poll, three-quarters of financial advisors said that their clients would benefit if all public companies were subject to SOX’s controversialSection 404 requirement, which mandates them to report on the effectiveness of their internal financial controls.
When severe situations call for new systems of oversight, the winners are those that don’t panic and do their due diligence. Technology will still drive human interconnectivity, and governments will continue to preserve that still-coveted human desire called privacy. Opportunities for seemingly unlikely players—U.S. businesses with EU networks—lie everywhere in between.