U.S. Companies Need to Gear Up Now for New EU Data Privacy Regulations
Companies That Do Business With Europeans Face Major New Requirements
Thousands of American companies that do business in Europe directly or online with European customers will need to start reckoning with data privacy regulations enacted this month by the European Union (EU), according to the International Association of Information Technology Asset Managers (IAITAM).
The regulations are due to go into full effect in two years.
“These are sweeping changes to how personal and corporate data is to be handled and they have far-reaching implications for many aspects of U.S. businesses, particularly in terms of how information security is addressed,” said IAITAM CEO Barbara Rembiesa. “The days are long past when U.S. businesses could worry only about complying with laws and rules in this country. Companies that fail to start planning now to deal with the General Data Protection Regulation (GDPR) requirements are going to be in for a real shock.”
The top five impacts the new EU regulations will have on any organization are, according to IAITAM:
- Data breaches. If an organization experiences a data breach, it must now be reported within 72 hours of the company becoming aware of the breach. Up until this point, a data breach typically is only announced in the U.S. when word of the breach is leaked to the public or media.
- Companies must designate a Data Protection Officer (DPO). DPOs are to be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfill its tasks.
- Consent of those providing data. The data controller bears the burden of proof for the data subject’s consent to the processing of their data for specified purposes. Consent will not serve as a legal basis for processing when there is a significant imbalance between the position of the data subject and the controller. This aspect of the GDPR requires active acceptance of the terms and conditions by the end-user. Consequently, mere use by the end-user will no longer be sufficient acceptance of the terms and conditions.
- Special handling of data related to Europeans. Any transfer of personal data to a third country or to an international organization may only take place if, subject to the provisions of the regulation. This provision was created specifically to protect EU citizens’ data once it is moved outside the EU. Any organization that is international in scope and handles personal information of EU citizens will be subject to the GDPR. Also, any organization that received the information third-hand will also be subject to the regulation.
- Potential for hefty fines and court penalties. Organizations will be fined by EU member states to ensure that the damage to an individual is made whole in addition to penalties and fines meant to deter any additional infractions. This type of enforcement can become increasingly potent and result in monetary penalties reaching into the billions, according to IAITAM.
“What is important is that any organization that processes or handles data from EU citizens must become familiar with this legislation and fully understand the impact it will have on daily business processes,” said Rembiesa. “Between the sweeping scope of the GDPR and the penalty structure, this is a piece of legislation that should be treated seriously and with an eye to what it will take ensure full compliance.”