Data can be described as the lifeblood of today’s economy. Through the years, its intrinsic value has evolved into a critical asset for business growth and competitiveness. And yet, the opportunity that data presents also comes with great risk and responsibility. Many battle over who should own and benefit from data, consequently elevating the need for privacy protection and stringent standards. What was once a business-practice afterthought is about to be elevated in importance by a new piece of legislation out of the European Union (EU), bringing data protection to the forefront for virtually any company.
The General Data Protection Regulation, more commonly known as the GDPR, took more than four years of back-and-forth discussion to develop before its adoption in April 2016. The regulation was designed to protect EU residents in an increasingly data-driven world, ending the patchwork of legislation that existed under the Data Protection Directive (DPD). Set to go into effect on May 25, the new regulation will replace the DPD, carrying forward key principles within a modern, updated framework.
As the global economy moves further into a connected network, changes on the other side of the world can have a far-reaching impact close to home. The GDPR will apply to any company that interacts with an EU data subject, regardless of where the company is located. The widened geographic reach means a vast range of U.S. businesses that previously did not need to comply with EU data protection rules will now be affected by the full scope of the forthcoming law.
While previous drafts of the proposed legislation suggested extreme measures, the final draft is perceived as commercially balanced and can be seen as an evolution of the current law rather than a revolution. The regulation’s scope is remarkably broad; it will force many companies, wherever their location, to comply with its requirements. Penalties underscore the gravity of the mandate.
Any company that markets goods or services on a public platform can be subject to the GDPR. Even if your company has no subsidiaries, branches, satellite offices or data centers in Europe, has never used European contractors, does not own any physical property or equipment on EU soil and has never had European clients or pursued leads in Europe, the GDPR may still apply.
Companies with a public website, social media accounts or email servers, regardless of whether a transaction occurs, are subject to the GDPR. Even if a company is based in the U.S. but offers goods or services that collect personal data of a EU resident, that company falls within the GDPR scope.
Shamini Peter, chief operations officer for distributor Axis Promotions, says she believes every company in the promotional products industry will see some form of impact from the regulation.
What makes GDPR compliance much more challenging than the existing DPD is its stringent codification requirements:
- Given that all EU residents are protected anywhere in the world, companies with clients, employees or even job applicants who are physically located in the U.S. but who maintain EU citizenship are considered data subjects by the GDPR.
- If an EU-based individual inquires about a product, the company offering that product falls within the scope of the new EU privacy rules, regardless of whether or not a transaction occurred.
- Employees visiting the EU and sending work emails with Personally Identifiable Information (PII) will trigger the GDPR.
The regulation enforces a broader definition of personal data, which refers to any information that could be used on its own or in conjunction with other data to identify an individual. New examples that have been added to the definition include data extracted from physical objects [computers and smart devices], such as device locations, frequencies and IP addresses. The revised definition was written to be future-proof and therefore technology neutral. The rationale for this approach is to ensure that the protection afforded by the GDPR is not circumvented by advances in technology.
The GDPR establishes accountability for data protection across the data supply chain and it is critical for business operations managed by third-party vendors to comply with these regulations. A new study conducted by the RiskIQ Threat Research team reveals that some major U.S. firms still have websites that don’t comply.
Under the GDPR, companies are expected to consider the risks inherent in personal data processing and to manage them proactively and appropriately. Research and advisory company Gartner predicts that by the end of 2018, fewer than 50 percent of companies affected by the GDPR will be in full compliance with its requirements. The latest analysis from Veritas suggests that 86 percent of organizations worldwide are concerned that a failure to adhere to GDPR could have a major negative impact on their business, and nearly 20 percent fear that noncompliance could put them out of business.
To support GDPR specifications, companies need a comprehensive understanding of their digital footprint, keeping an inventory on every external asset that gains exposure, including: a user’s name; phone number; address; social media presence; photos; lifestyle preferences; location data; and even IP address.
EXAMINING THE GDPR
Data Subject Rights
Along with the expanded definition of personal data, the GDPR also provides data subjects with enhanced, powerful rights about how companies may retain and process their personal data:
- The right of access allows individuals the ability to confirm whether or not their personal data is being processed, as well as prompt open access.
- Companies must provide categories of concern and identify any external recipients that have been or will be exposed to the data.
- Companies must disclose the purpose of processing, source of and duration for which the data will be stored under the new regulation.
- Companies no longer have 40 days to respond but must act on the request without delay.
- Companies must provide this access to the consumer at no charge.
- The right to rectification provides data subjects with the ability to correct any inaccurate or incomplete information.
- The right to object processing can be sanctioned at any time by the data subject.
- Companies must cease processing data for legitimate interests, direct marketing and even research purposes.
- Companies must have structures in place so that employee personal data can be easily accessed, provided upon request, and reasons behind processing can be justified.
- The right to erasure is popularly referred to as the ‘right to be forgotten,’ and prompts the obligation to erase personal data without delay.
- Under the GPDR, personal data must be removed when the data is no longer needed for the original purpose, when there are no other reasons for processing or when the individual withdraws consent.
- The right to restriction of processing requires companies to suspend further use while allowing existing data to continue to be stored. (New under GDPR.)
- The right to data portability allows individuals to obtain all records of previously-consented-to personal data held by the company and give it to an entity of their choosing. Data controllers must provide this information free of charge and without delay. (New under GDPR.)
Under the GDPR, consent must be freely given, informed and revocable. The GDPR expressly states that where there is an imbalance of power between the party giving consent and the party receiving it, consent is not valid.
Consent should be evidenced by a statement or affirmative conduct to clearly indicate the purpose in context.
- Companies may now no longer use one statement of consent to allow the data collected to be used in multiple ways; consent must be sought for each reason the company proposes to use the data.
- If you have offices in the EU, you will need to review your employment policies. The burden is on the employer to show that the employee gave adequate consent.
The GDPR affects every entity handling or using data—in essence, every professional in the modern business era. It is important for companies to keep detailed records on how information is used and stored, as well as documenting decisions made outside of the processes in place.
The GDPR requires companies to implement measures to ensure an appropriate level of security is in place for processing and relies on the concept of ‘pseudonymizing.’ Simply put, this is a method to substitute identifiable data with a reversible, consistent value. After pseudonymizing, data is no longer directly identifiable, but can still be tied to a specific individual when combined with other data and statistical analysis.
Data Protection Officers (DPOs) And Enforcement
The GDPR requires Data Protection Officers (DPOs) to be appointed for all public authorities, and where core activities involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data.” Though an early draft of the GDPR limited mandatory DPO appointment to companies with more than 250 employees, the final version has no such restriction.
EU-member Supervisory Authorities (SAs) will be used to enforce the upcoming GDPR through investigative and corrective powers, including directly against U.S. companies that have a physical presence in the EU. U.S. companies without a physical presence in the EU but that knowingly and actively conduct business in the EU are required to designate a representative located in the EU.
Investigative powers allow SAs the ability to undertake any complaint received and employ a wide range of measures, including audits or open access to company assets. Corrective powers include the ability to issue warnings, reprimands and orders to bring processing operations into compliance. SAs also hold the right to impose temporary or definitive bans, withdraw certifications, order breaches to be communicated to data subjects, cease data flows altogether and even levy substantial fines.
Along with the strengthened policies, the GDPR codifies a penalty structure for violations.
In the case of a privacy breach, the GDPR requires companies to report the incident to SAs within 72 hours of the discovery.
A recent survey by PwC revealed compliance with the GDPR is a top priority for 92 percent of U.S. companies.
While regulatory in nature, the GDPR should elevate core values of trust and relationship building that will enable companies to build on data and gain more value in the marketplace. Failure to implement successful, compliant data protection measures may damage a company’s reputation, customer relationships and, ultimately, its financial security.
The promotional products industry alone has seen a 55 percent increase in online sales over 10 years, based on the recent PPAI Sales Volume Study (Figure 2). The study defines online sales as reflecting any promotional product revenue initiated online, but does not include any merchant-aided transactions fulfilled online. Therefore, online sales could be generated from a range of sources including desktop browsers, applications and mobile devices. Not surprisingly, 65 percent of distributors have mobile-friendly websites, as indicated in the 2015 PPAI Technology Study. Given the broad online footprint of the industry, companies that ignore the GDPR do so at their own risk.
The GDPR isn’t a regulation that holds a single individual accountable, but one that could hold a company accountable for a single individual’s actions.
- Every company contact, both internal and external, needs to know about the GDPR, including staff, partners, third-party contractors and customers.
- Data privacy should be top of mind for every employee and should engender a greater sense of responsibility and accountability.
- Employees should be trained on how to take notes and record information about customers, prospects and employees, as well as how to follow online security protocols, such as how to recognize phishing emails and the dangers of clicking on unrecognized email attachments.
- Companies need to ensure that their cloud providers implement technical and administrative controls to protect data. This is especially critical for those dealing with data originating in the EU, as EU authorities can assess every single data transfer if a privacy complaint is brought to their attention.
- Customers must also understand their rights under this legislation. Greater transparency will involve clearly communicating the purpose of collecting data and naming any third parties with whom the data will be shared. Prechecked-box opt-ins must be deactivated, and withdrawing consent must be easily facilitated.
The GDPR will concern every channel through which data is collected, including websites, email or POS systems, as well as the repositories used to store data, including CRMs, cloud hosting providers and internal infrastructure.
- Each data point will need thorough monitoring to document where it is coming from, what it is being used for, where and how it is being stored, who is responsible for it and who has access to it.
- By engaging the people who deal with these processes in a conversation about the GDPR and why it is important, companies will be better equipped to update processes with the necessary requirements to become GDPR compliant.
Cyber insurance policies will likely begin to mimic the GDPR language. Thus, a violation of GDPR rules may result in a denial of coverage.
No company that operates on a global footprint, whether directly or through an array of third parties, can afford to ignore or avoid preparation for the GDPR. For most, this is a critical time to reevaluate the people and processes related to data protection and build flexible solutions to meet today’s challenges to continue tomorrow’s growth.
The bottom line is that the EU has set a new standard in data protection, and companies that embrace these new standards will be well prepared for the coming shift in expectations.
For a more comprehensive look at the regulation, download the PPAI white paper at www.ppai.org/GDPR.
ACTIONS TO TAKE NOW
1. Consider what data you are collecting or processing from individuals located in the EU.
2. Update contracts with third-party vendors with whom you are collecting or sharing data on individuals.
3. If you work directly with consumers, review the current consent forms you use to collect data about them.
4. Consider more creative ways to display and describe your privacy practices (so they will be read), and provide mechanisms for users who want to opt out.
This story has been prepared for informational purposes only and does not constitute legal advice. To learn more about the upcoming General Data Protection Regulation, consult your legal counsel or visit www.eugdpr.org.
Moumita Das is the market research coordinator at PPAI.