Europe is an attractive market for US companies due to its size and consistent regulations across borders. However, don’t be fooled into thinking that it’s simple when compared with the US.
From 25 May 2018, all companies will need to comply with new GDPR rules in order to deal with customer data in Europe and avoid heavy fines. The new legislation will simplify the rules that companies need to follow across the continent, but there is more than meets the eye. A major difference with the US is the need to correctly handle movement of data between countries and also customers’ “right to be forgotten” which means companies need to consider how they coordinate centrally as well as storing data locally.
The right to be forgotten will be one of the most challenging parts of GDPR compliance, especially for global companies. Under the new directive if EU residents request personal information to be removed from your records, the company must find and delete all instances of that person’s data. GDPR data relates to personally identifying data (names, phone numbers, bank details, etc). Putting processes in place to discover, manage and delete it is a big ask for many companies.
In regard to the movement of data, similar to the framework set out in the current Data Protection Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. However, the GDPR does introduce new legal grounds for cross-border data transfers, as well as significant changes to the recognition of these “adequate” countries. For example, under the new legislation adequacy decisions will be subject to periodic review, at least every four years, taking into account all relevant developments in the relevant third country. The GDPR has also introduced the possibility of adequacy decisions being repealed, amended or suspended – all of which could have implications for the EU-US Privacy Shield which is already on shaky ground.
Worryingly, but perhaps unsurprisingly, Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. There are a number of ways to get prepared for May 25th, namely on the people and processes front. Gartner recommends that organizations prioritize five specific actions, beginning with the appointments of two roles dedicated specifically to data protection. An individual to act as a contact point for the data protection authority (DPA) and data subjects, and a data protection officer (DPO) to ensure processing operations are compliant. The remaining recommendations are to demonstrate accountability for all processing activities transparently, check how data flows across different borders both within the EU and outside it, and prepare for data subjects to exercise their extended rights, in areas such as the right to be forgotten and to be informed of a data breach.
However, in most instances the burden isn’t all on the business. If you’re a US company planning to grow into Europe then choosing infrastructure partners that understand the complexities of managing data across borders within Europe will be crucial and will make things a lot simpler. Businesses need partners to facilitate GDPR compliance and Privacy by Design – starting with the infrastructure and connectivity layers.
Although the implications of the GDPR may appear overwhelming, in general the regulations can simplify the process of launching into Europe by providing a clear playbook for digital transformation, and armed with the right information, support and tools these businesses can be GDPR compliant from day one.