How will GDPR impact US companies?

Unless you have been living under a rock for the past few months, you are aware that the EU General Data Protection Regulations (EU GDPR) is to be enforced in May 2018. The GDPR is set to give consumers back the control of their own data by way of requesting that organizations apply better data governance processes, and put privacy at the top of their practices.

What you didn't realize perhaps, was that the EU legislation has global applicability.

Yes you read that right. The EU GDPR extends to all organizations processing and holding the data of EU citizens or residents, which is practically any organization – given the scale at which data is processed today. The regulation proposes to fine up to 20 Million EURO or 4% of global turnover, any company that will not abide by its requirements.

The Impact of GDPR - Can the EU fine US organizations?

For those US companies that have a presence in the old continent, it is obvious that the EU and its citizens have the authority, under international law to pursue legal actions. Even giants like Google have been the object of class actions and record fines of more than $2.7 Billion. But can US organizations without a presence in Europe be the object of fines?

Under Article 27, GDPR requires companies without an establishment in the EU to designate a 'representative' located in the EU. This applies to all US businesses – provided the data processing is not occasional, and the organization is not a public authority or body.

When it comes to the question of enforcement, the EU-US Privacy Shield data agreement puts systems in place to coordinate efforts between the US and the EU. Without getting into all the intricacies of the agreement, EU regulators can fine U.S. companies for violating GDPR, and they can do it with the help of U.S. authorities. 

So what do US organizations need to do to be GDPR compliant?

For those US organizations dealing with EU citizens data, welcome aboard!

The GDPR has been the most discussed regulation this year, not only because it introduces a real revolution and forces organizations to reexamine their data practices, but also because it does so without actually prescribing much. The principles are clear, organizations should: minimize the data they gather, guarantee that the data they processed is needed for specific purposes, and make sure they know where their data is and when. Overall, there are key requirements that organizations should be aware of. For those coming from the healthcare sector, this may ring close to home:

  • Ensure opt-in consent and "privacy by default" mechanisms – organizations need to have explicit consent from customers to gather and process their data, and make sure that the highest standards of privacy are used by default.
  • Conduct Privacy Impact Assessments (PIAs) – In short, organizations need to be able to document that they have planned how they will protect the data gathered about customers, and that they can monitor that such risks remain low.
  • Ensure data protection – by way of using pseudonymization or encryption.
  • Be ready to comply with Right to Be Forgotten Requests and Data Portability – The GDPR gives customers the rights to have their data deleted or to obtain a copy within the shortest delays.
  • Guarantee that data breaches can be reported in no more than 72 hours

At NICE, we have created a dedicated GDPR compliance solution based on our unique Compliance Center offering. The latter comprises mission-critical dashboards to gauge privacy data and ensure that all interactions are protected. To mitigate the impact of the GDPR, we have created  dedicated workflows to automate requests for the right to be forgotten or data extraction, our GDPR package can help you make sure that you are ready for the challenges of 2018.

All this because of a single European regulation?

GDPR may only be the tip of the iceberg, and organizations should be aware of its ramifications, as governments and regulatory bodies globally are looking into enforcing greater transparency and better data governance practices. Here in America, prompted by the numerous scandals of 2017: such as Equifax exposing the names and social security numbers of over 143 million people1, and the emergence of privacy abuses including cyber-bullying and fake news, lawmakers are tempted to enact legislations promoting better customer data protection. As shown by The Consumer Privacy Protection Act of 20172 and the Data Security and Breach Notification Act3, which both give a new impetus to consumer data protection in the USA.

2018 will definitely be the year of Privacy, and it belongs to all organizations to understand that it can be a real customer experience differentiator, with the power to make or break a brand. The question is: are you ready?