Learn how and why the GDPR affects your business outside the EU
The EU has mowed over the hornets nest with their new General Data Protection Regulation, known more commonly as the GDPR.
The GDPR compliance guidelines apply to any business or organization processing personal data of EU citizens—regardless of where the business or organization is established.
It’s something most small US businesses are not thinking about, but many of them should be.
“Does my Cyber Liability Insurance Plan Cover the New GDPR Changes?”
When it comes to cyber liability, businesses should never assume they’re covered. Coverage for GDPR is dicey, at best.
Even affirmative coverage grants might not add much protection to your policy. And that’s largely because businesses aren’t the only ones trying to sort out their coverage—the whole industry is wondering;
Should these fines even be insured?
The fines are designed to penalize any company’s actions, whether they’re negligent or intentional, that don’t conform with the GDPR. And the GDPR is designed to protect personal data.
These fines fall outside the scope of what most Professional, Management, and Cyber liability policies have historically covered.
With that in mind, here’s the real question businesses should be asking themselves; What are we doing to ensure compliance?
GDPR Compliance for United States’ Businesses
To understand the potential compliance issues that United States’ (U.S.) businesses are facing, you need to understand GDPR.
The GDPR increases the protection for and control of personal data for EU residents on an international basis.
Even though this new data regulation came from the EU, and only protects EU data subjects, it’s enforced globally. When it comes to enforcement of the GDPR, United States businesses are on the hook.
The GDPR compliance guidelines only apply to businesses that are processing personal data for EU residents. An American hotel, for example, that processes information for EU guests.
Let’s look at some of the protections put in place by the GDPR, and what you can do to stay in line with GDPR compliance in the US.
A Brief Look at an Important Regulation
The protections put in place impact a variety of data us elements: everything from the amount of time a business should hold on to a data subject’s personal data, to ensuring the data is accurate, to making sure all personal data is handled fairly and transparently.
The document is enormous, but many of the regulations are reasonable.
It’s only lawful to process information if the data subject has given consent to process personal data for that specific purpose. That could be consent given by checking a dialogue box on a web page. That could be consent through a contractual arrangement. It could be granted through a legal obligation, etc.
But the consent for processing that personal information only covers the purpose explicitly stated.
Keep in mind that “processing” refers to, as it’s put in this CHUBB GDPR report, any company that is “hired under specific written instructions to collect, organize or otherwise manipulate the data.”
Three Steps to Take to Ensure GDPR Compliance
There are steps every business can take to ensure they’re not leaving themselves, or their customer information, vulnerable. The steps below don’t constitute a comprehensive list, but they’re a good place to start.
- Take an honest look at your data protection.
Is your business is taking data protection seriously?
- If your data protection is weak or nonexistent, then look into updating your technology and your data handling practices.
This could mean adding data encryption, or reviewing and rewriting your organization’s data practices–make sure there are no gaps in your data handling.
The security measures you take should be appropriate to the risk involved.
A small business taking hundreds of emails, names, and addresses of their customers is facing a different level of risk than a large company storing hundreds of thousands of names, payment information, etc. Their risk levels are different, and their security burdens to the GDPR will look different.
- Review how you get consent to use personal information.
Ensure that you’re only using information for that explicit purpose. Also ensure you only hold onto the personal information for as long as necessary to complete that purpose.
The Jump from EU’s GDPR to the United States
Increased protection for personal data is on the horizon.
In November 2018, California voters will weigh in on the California Consumer Privacy Act.
It’s California state’s version of the GDPR. It would apply to all California residents and their data, just as the GDPR applies to all EU residents.
The requirements on companies to ensure data is being used lawfully, is protected, and is only being used for the specific purposes intended by the data subject, will continue to grow as more states and more countries come on board with their own regulations.
If you weren’t thinking about the GDPR before, you should be now.
Though questions about coverage and insurance remain, the question about compliance has been decided.