“The question isn’t ‘What do we want to know about people?’. It’s ‘What do people want to tell about themselves’.” – Mark Zuckerberg
Many people believe that data privacy in this digital age is an oxymoron. This belief has lead to the inception of the European Union Data Protection Regulation which would be enforced on May 25, 2018. The European Union is not leaving any stone unturned to ensure that their citizens’ data is used wisely. So, you’d be thinking, “I’m not in the jurisdiction of the European Union. I’m in the US, there’s no way GDPR could reach all the way here!” Wrong! You’d need to think again and we’ll tell you just what!
Determine the ‘if’ and ‘when’ of GDPR application to your business
First, find out if you’re exempt from GDPR. Once GDPR is enforced, there are going to be surprises, of the not-so-pleasant kind. For instance, in the European Union, IP addresses are the equivalent of the identity of an individual, but under US law, they don’t. So, the companies that don’t consider themselves to be controlling or processing the data of the European Union Citizens may prompt GDPR, unknowingly. GDPR applies to any organization whose intended audience are EU citizens. Therefore, if you market your products or services through the internet and if you have a website, you’d need to be on guard for GDPR. If the processing relates to offering goods or services, GDPR would apply and if it doesn’t, find out if the processing relates to monitoring the behavior in the EU. If the answer is yes, then GDPR applies and if the answer is no, GDPR doesn’t apply.
Understand the primary requirements to be GDPR compliant
The first requirement is understanding the ‘Right to be forgotten’ or Data Erasure. It simply means that if an individual requests an organization to immediately erase any irrelevant or any factually misleading information about them, they would oblige. The second requirement is Data Protection Officers that the US organizations would need to appoint who would report to European Union on issues pertaining to GDPR compliance. The final requirement is ‘Breach Reporting’ which means that the companies are required to report a data breach to the Information Commissioner’s Office, within 72 hours of becoming aware of it, irrespective of the size and severity of it.
Discern the Cross-Border Transfer Clause
GDPR places organizations under a Cross-border transfer clause, which states that these companies can transfer data out of the country only to the specified nations of third parties that have adequate data protection policies as decided by the ICO. Typically, one would think that a transfer means the movement of data from one country to another. However, EU law is slightly different. For instance, even if the data is stored in the EU but can be accessed from, let’s say, New Zealand, then there is a data transfer. To deal with the Cross-Border Transfer Clause, we suggest that you assess your current mechanisms, ensure that the contractual framework is in place with the EU Standard Contractual Clauses, explain the data transfers to the individuals in privacy notices and background screening policies and constantly review your codes of conduct or certification schemes.
Spin GDPR to your advantage
Believe it or not, GDPR has some merit. A few advantages are highlighted below:
- Casting a light on dark data
- Expanding cross-functional collaboration
- Firing up data governance
- Escalating data-driven innovation
Because of GDPR, companies are cautiously mapping their data flows to know what data they have, how it’s used, how they can minimize the storage of redundant data and how they can safeguard that data. Every business should follow suit.
GDPR could be regarded as a fantastic opportunity for US organizations to review their data protection policies. By adopting a few concepts like privacy by design and data transparency, organizations can create a competitive advantage over businesses that don’t. Make privacy security your priority, remember the fines and penalties and what they entail. Embrace GDPR because it’s a sheep in wolf’s clothing helping you to implode the data privacy oxymoron.