Five reasons why the EU’s new data protection regulation may impact companies worldwide November 7, 2017 by Sven Dummer compliance, consent management, data protection, GDPR, personal data, privacy When it comes to collecting, storing and managing user information, many global businesses have a lot of freedom. While certain industries are subject to U.S. regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or industry standards like the Payment Card Industry Data Security Standard (PCI DSS), other industries enjoy less stringent laws and regulations for data protection and privacy based on the jurisdictions they are located or operate in. Generally the regulations applicable to an entity collecting data have been those of the country where a data collecting entity is incorporated or where its servers are physically located. So, if a company operates sites in country A, the privacy law of that country would apply even for users who use the services from country B. Such settings might represent a legal gray zone in many cases, making enforcement of foreign law across borders difficult. When the EU launches its General Data Protection Regulation (GDPR) in May 2018, it will tighten numerous compliance ambiguities, and the question of which law applies is one of them. 1. Not being EU-based is not a loophole All businesses that access and store information belonging to European residents must adhere to the GDPR. That means companies based out of the United States or elsewhere are just as liable here as EU organizations, assuming they sell to a European audience and collect personal data on individuals residing in the EU. The GDPR protects anybody residing in the EU, regardless of citizenship. 2. That goes for your servers too Moving servers that touch and house affected consumer data outside of the EU is not a work-around to these new compliance regulations. It doesn’t matter where your databases are located, where login and registration forms are hosted or where customer information is processed. If that data pertains to EU residents, you must adhere to every aspect of GDPR and its very strict privacy protection rules. 3. Third-party data processors won’t protect you There may have once been a time when working with a third-party data processor put some distance between companies and their customers’ data – and absolved organizations of any responsibility in the event of a breach or mismanagement of that information. Not so under the new regulation. Handing off data processing duties to an external party is no excuse for poor data management practices, and officials will hold businesses accountable for any GDPR violations committed by a contracted partner. Under these new regulations, the data controller will be liable for the data processor’s negligence and misdeeds. It’s not just your own internal policies you need to worry about, but your business partners’ workflows as well. This puts more pressure on organizations to only work with vendors that adhere to compliance and security best practices. GDPR compliance by vendors requires expertise, resources, and time. Companies should not just quietly assume their vendors are ready to support their GDPR efforts. 4. “Umbrella consent” is no longer an option One of the most notable changes is GDPR’s requirement to gather affirmative, informed consent from users before collecting, storing and processing their personal data. Today, many organizations use vague user consent forms to collect a wide range of personal information. Under GDPR, companies need to outline precisely what data they are asking a customer to share as well as how that information will be used. In addition to this new level of transparency, customers need to be able to review, change or revoke their approvals at any time. The common “umbrella” consent forms that gather an almost universal approval to store and process a user’s personal data, often in combination with a pre-checked box and somewhat hidden terms, will no longer be sufficient. Businesses will need to be much more surgical with their data collection methods, revamp their consent forms to reflect the new GDPR requirements and completely overhaul their fine print to adhere to GDPR guidelines to clearly spell out to users exactly what they’re agreeing to when they hand over their data. 5. Account deactivation is not the same as deletion Many companies today don’t allow registered users to delete their accounts and only offer account “deactivation.” This allows them to continue leveraging user data even after an account has been deactivated because the existing customer data remains on organizations’ servers.. Under GDPR, businesses will be expected to not only comply with account deactivation requests, but to offer complete account deletion. This “right to be forgotten” will require organizations to completely scrub their systems and eliminate any trace of a customer. That could be a tall order for businesses with complex networks, distributed CRMs and marketing automation systems with databases spread out across various environments, departments, and regions. They will need to find a way to centralize this data or find an efficient means to locate it wherever it may reside and remove it. With GDPR, EU’s leaders are making it clear that lackadaisical data privacy, security and management practices will no longer be tolerated. Any organization that wants to continue doing business in this market need to diligently prepare their workflows, processes and systems to fully comply with these regulations. For assistance going down the home stretch, be sure to reach out to Janrain and have a look at our GDPR information resources. Our expertise may just be what you need to meet the GDPR deadline.