Ostendio Blog

'We’re a US Company, the EU’s GDPR doesn’t apply!' Think again.

Written by Ostendio | Apr 5, 2018 6:05:48 PM

If you collect any EU resident’s identifying data as broadly defined under the EU’s General Data Protection Regulation, aka GDPR, you now have another set of privacy and security regulations with which to comply. Do you know what you need to do to get ready by 25 May 2018? Whether your company is in the healthcare business, financial, or otherwise, any company that may collect any identifying information about an EU resident is on the hook.

What is identifying data? A lot of information you may never have considered. Besides the obvious name and date of birth information, identifying data may include GPS, IP addresses, email addresses, a photo and more. US company websites will need to adjust their marketing and sales approach for targeted EU consumers, particularly in regard to data use privacy disclosures and consent of data use.

The GDPR ushers in a new era of “digital rights” that recognize how valuable our personal data is not only to us as individuals, but to businesses. There will be many adjustments on the US side. But in some ways,

US–based companies are fortunate because they already must comply with the requirements of PCI-DSS, HIPAA and the like.

While that means you likely don’t have to start from scratch to bring your privacy and security up to par for GDPR compliance purposes, you do need to take action. Otherwise, painful penalties can apply.

7 Tips for GDPR Prep

1. Know if your company may collect identifying data from an EU citizen at any time.

2. Re-evaluate and update your privacy policies around how you currently handle permission to use, correct, transfer or store personal data. Be sure it conforms to the GDPR’s definition of personal data as well.

3. Examine your online marketing strategy and tactics. How do you collect data like email addresses? How do you assure consent? If you use a pre-checked permission box to be able to tap someone again, that won’t fly.

4. Update your security incident response plan to include the EU regulator or supervising authority to inform within 72 hours of a breach. Sensitive data like healthcare or financial information, as well as any associated data about children, or a large number of email addresses, falls into the high risk category.

5. Update your privacy and security training curriculum to include GDPR definitions and requirements.

6. Assess how your technology needs to handle the GDPR security controls, like access and monitoring, and data encryption.

7. Assure your privacy and security compliance support platform either has or soon will have GDPR compliance support capability.

Take the new regulation seriously. Penalties for data breaches under GDPR can range from 2% to up to 4% of a company’s annual global revenue (or up to $20 million). Failure to comply with GDPR, audit failure, or a data breach that goes un-reported for more than 72 hours, among other factors, helps determine the penalty level.

If you want to play it safe, and you probably do, assume you’ll likely need to comply with GDPR requirements until a compliance expert informs you differently.