GDPR: Do you provide goods or services in the EU?

Many companies do business in the EU without having a physical business presence there. These companies have been able to collect, process, and protect their customers' personal information with little regard for the various EU privacy laws. As of May 2018, this changes with the enforcement of the General Data Protection Regulation (GDPR).

What is GDPR?

Since 1995 the EU has had a directive in place requiring member states to enact laws to protect personal information. The directive provides a framework for these laws. As you can imagine with 28 sovereign states, there are variations in how the laws have been enacted and how they are enforced. Additionally, businesses may need to interact with government officials, called data protection authorities or supervisory authorities, in each member state to legally perform the processing of personal information to run their operations.

Several years ago, talks began to find a way to unify personal information protections across the EU as well as to ease regulator interactions for businesses. From these discussions, GDPR was developed and passed.

GDPR is an EU-wide regulation for the protection of personal information related to individuals in the EU. It applies not only to organizations with a presence in the EU, but organizations that provide goods and services to people in the EU. This last scoping statement affects many unsuspecting organizations.

The risk of not complying with GDPR may result in fines up to 4% of your organization's global revenues.

What is personal information?

In the U.S., while it is a good practice to protect all personal information you collect, most laws and regulations focus on sensitive information such as government-issued identification numbers, financial accounts, and health-related information. Generally speaking, there are few limitations on how information may be processed.

[Related: General Data Protection Regulation (GDPR) requirements, deadlines and facts]

The definition of personal information in the EU is “any information related to an identified or identifiable natural person.” This is very broad when compared to the enumerated definition used in most U.S. regulations. By default, you cannot process personal information obtained from someone in the EU unless there is a clear legal basis for doing so.

The EU has identified some types of information as special categories similar to the sensitive information described above for the U.S. The categories are very different from those in the U.S. and include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, and criminal convictions or offenses. The processing of these categories of data are, again, prohibited unless strict requirements are met.

GDPR requirements

If you are providing goods and services to the EU, under GDPR there are several things you will need to consider, which include:

1. Do you have an acceptable legal basis for processing the information you are collecting?
2. Have you supported the protection of individuals' rights as defined under GDPR?
3. Have proper organizational measures been put in place to secure the personal information you collect?
4. Do your systems development processes integrate the principles of Privacy by Design?
5. Is personal information protected by default, or must customers do something to protect their information?
6. Do you perform impact assessments when new uses for personal information are proposed and then developed?
7. Do you have processes in place to notify regulators and customers in the event of a data breach?
8. Is there someone in your organization that is responsible for overseeing the protection of personal information (a data protection officer)?
9. Have you been transparent with your stakeholders regarding your privacy practices by posting a privacy notice that meets GDPR specifications?

Given that your organization has not previously been exposed to this level of regulation for the collection, processing, and protection of personal information, these requirements may never have been considered by your organization.

A data protection officer

An organization under GDPR is accountable for the protection of personal information. A data protection officer, or DPO, is fundamental to you successfully meeting this accountability requirement. The responsibilities of this role include:

1. To inform and advise an organization of its obligations under GDPR
2. To monitor compliance including the assignment of responsibilities, awareness-raising and training of staff, and the related audits
3. To provide advice where requested on data protection impact assessments and monitor performance
4. To cooperate with the supervisory authority
5. To act as the contact point for the supervisory authority

Naturally, a DPO must rely on many departments to actively participate in a data protection program. It is vital that the DPO achieve organizational alignment for data protection goals and be able to demonstrate to regulators organizational compliance with the data protection program.

The expectation is that a DPO has a level of independence within the organization. Also. the DPO should provide reports to the most senior level of the organization about the state of data protection and potential risks.

Given the size of your organization, a full-time DPO may not be required. The responsibilities of a DPO may be assigned to someone in your organization with other responsibilities or these responsibilities may be outsourced.

What can you do now?

GDPR enforcement is just around the corner. In fact, some EU states have begun incorporating components of GDPR into current law. If your organization has not yet started to prepare, there are steps you should take at once.

Start with inventorying the categories of personal information you collect that may originate in the EU. This may include customer, vendor, and other stakeholder information including that from employees. Also name the processes that use this data.

Next, attend a GDPR training to understand your obligations under the law. (Note: In full disclosure, Privacy Ref provides this training through our partners at CyberDefenses and the International Association of Privacy Professionals.) Alternatively, engage someone who is familiar with the requirements.

Using the inventory and newfound knowledge, you can perform a gap analysis to determine where you are compliant or where improvement is required.