What U.S. Business Leaders Need to Know about GDPR

GDPR is the acronym for General Data Protection Regulation, a set of data privacy regulations approved by the European Parliament that became effective in May 2018. GDPR regulates how organizations protect the personal data of citizens of the European Union and affects any company worldwide that has obtained any personal data of an EU citizen.

The GDPR is the most recent and comprehensive measure governing personal data in the EU, but the union has focused on protecting its citizens personal data protection for decades. The European Union approved the Data Protection Directive of 1995, which required each EU member state to set up regulations and a supervisory authority to monitor and enforce data protection. That directive is now superseded by GDPR, which applies uniformly to all member states and to any organization in any country that collects or retains personal data of EU citizens. Below are the landmark dates in the history of GDPR:

• January 2012: The European Commission first proposes GDPR.
• March 2014: The European Parliament votes in favor of the outline of the the new data protection law.
• May 2016: The European Parliament formally adopts GDPR.
• May 25, 2018: GDPR goes into effect when all EU member states are required to have adopted it into their national laws.

The GDPR strives to give EU citizens much more control over how their personal information and data is collected and kept. The regulation governs not only how organizations collect and store basic information like name, address, and a wide range of other personal information, but also how websites can track how an EU citizen is viewing a website, and how companies collect and use an email address. In essence, the law takes a much broader view of what information in considered “personal” — and therefore what information persons should have control over — than do laws in the United States and other countries.

“The Europeans suffered the worst of World War II and the Holocaust in particular,” says Rita Heimes, Data Protection Officer and Research Director of the International Association of Privacy Professionals, the largest not-for-profit community of security and privacy professionals in the world. “They still feel the sting of neighbors informing on each other. They value their personal privacy as a fundamental human right. In the United States, we’ve seen privacy as a consumer protection issue, but at the same time we haven’t wanted to hinder technological development and innovation. So we are less apt to regulate technology or tech industries and more likely to encourage self-regulation, as well as to assume companies will do the right thing by consumers to protect their brand and customer trust.

“The EU strives in the GDPR to give consumers much more control over their own personal data,” Heimes continues. “I would describe the overall tenor of the regulation as pushing businesses that process personal data to think hard about what they collect from consumers and why, and encouraging them to be more transparent, and more responsive, to their customers when it comes to a customers’ privacy.”

The GDPR and what it governs is generally quite complex, but some provisions are vague and open to interpretation. Some experts say it would be extremely difficult for organizations to comply with every detailed provision in the law.

The full text of the GDPR totals 261 pages and governs a wide range of areas. But there are some basic requirements and provisions that are most important, including the following:

• Consent: In most cases, a person must actively consent to an organization having his or her personal information and data. The organization must ask for that consent in clear language, and it must ask for consent whenever it wants to collect or use a different piece of information. It must be obvious to the person how the personal data is going to be used, and organizations must be able to clearly show how and when they gained that consent. An organization must also tell people how they can easily withdraw their consent for any reason.
• Evolving Technologies: GDPR defines personal data as including new technologies that don’t currently exist but that might be able to capture data in new and evolving ways.
• Breach Notification: Organizations must notify the appropriate supervisory authority (within various EU member states) within 72 hours whenever they experience a “personal data breach.” A breach is anything that leads to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of personal data. As stated in the GDPR, if the organization that controls the data determines the personal data breach “is likely to result in a high risk to the rights and freedoms” of individuals, the company must also alert the persons whose data was compromised.
• A DSAR: People can submit a data subject access request (DSAR), in which they formally ask an organization for all personal data the organization may have relating to them. In general, the organization must provide that info within one month of receiving  the request.
• Data Control: Organizations must maintain overall data control, which means, among other things, that they can process or retain only data for purposes that are allowed under the law, and that they ensure the accuracy of the data.
• Data Security: Organizations must ensure data security, which includes a wide range of actions to ensure personal data isn’t inadvertently released or stolen.
• Right To be Forgotten: Also known as the right to erasure, this right ensures that a person can ask an organization to erase or delete his or her personal data. Although the right doesn’t apply to all data, it does apply to a wide range of information, including when the data is no longer needed for the reason an organization gathered the data, and when an organization is relying on consent to keep the data and the person withdraws that consent.
• Pseudonymization: GDPR encourages organizations to mask as much of their personal data as possible through pseudonymization, which is a way of storing the data so it doesn’t identify a specific person. The data can still be useful to an organization because it can match the data with other separate information held in a different place to identify the person. The process decreases the risk of identifiable data being released while keeping it useful to the organization.
• Privacy by Design and Privacy by Default: GDPR requires organizations to follow these two established privacy principles. Privacy by design, the idea that organizations should prioritize privacy and how they will ensure it when they are designing new systems and technologies — not as an afterthought. Privacy by default means that the most restrictive privacy settings happen by default when a customer uses the product or technology. He or she should not need to make manual changes to make the settings more private.
• Safe Harbor and Privacy Shield Protections: Under pre-GDPR EU regulations, personal data could be transferred to non-EU countries if those countries had privacy laws that were “adequate” to protect privacy. After a European court struck down the United States’ safe harbor protections relating to the EU in 2015, the EU and the U.S. entered another agreement, called the Privacy Shield Framework, which set out rules that the U.S. government and other U.S. organizations would follow when dealing with EU citizens’ personal data.
  
  There remain some legal uncertainties about how the Privacy Shield Framework applies now that GDPR has superseded previous EU privacy laws. What’s certain is that GDPR now governs a much wider array of personal information than did the Privacy Shield Framework. So U.S. organizations that have or transfer data of EU citizens must comply with all aspects of GDPR — not just those in the Privacy Shield Framework.

GDPR requires a data protection officer (DPO) be appointed by all governmental entities and by private organizations where the core activities of their data processing involve “regular and systematic monitoring of data subjects on a large scale.” GDPR also requires a data protection officer for organizations that do large-scale processing of “special categories of personal data” such as personal information on race, ethnicity, and religious beliefs.

The data protection officer has a wide range of responsibilities, including the following:

• Educating the company and its employees on their duties under GDPR
• Training staff that are most involved in processing personal data
• Monitoring how the organization is complying with GDPR
• Serving as the primary point of contact between the company and GDPR supervisory authority in the organization’s country

Data protection officers can’t have a conflict of interest. For example, they can’t also serve as the company’s information technology director, because they would not have the independence necessary to ensure the organization was complying with GDPR. Data protection officers also have special protections, including that an organization can’t fire them for doing their jobs.

GDPR outlines important distinctions, and differing duties, between two key terms: A data controller is the entity that is making the decisions to gather, keep, and use the personal data, while a data processor is an entity that actually processes the data, often working on behalf of a data controller. 

 GDPR assigns many of the law’s principal requirements to the data controller, including getting consent from people whose data is being collected, and keeping track of when that consent is revoked. GDPR also makes the data controller responsible for whether the data processor is following all of the processing requirements set out by the GDPR. Unlike previous laws, GDPR now also imposes obligations on data processors. In essence, they are required to follow all aspects of GDPR or they can be penalized.

Under GDPR, the transfer of personal data from the EU to outside countries — including the U.S. — is only legal under certain specific conditions. GDPR allows those transfers if the outside country has laws that provide an “adequate” level of personal data protection. The transfers can also be legal if the sender and receiver of the information use appropriate EU-approved safeguards. In general, this means they are using mechanisms like contractual clauses that the EU approves or binding corporate rules (BSRs), which are codes of conduct adopted by multinational companies. These are limited circumstances, however, and can be subject to legal questions and challenges.

As noted, people can submit a data subject access request, in which they ask an organization for all personal data the organization may have relating to them. Generally, the organization must provide that information within a month. Many experts believe that could be much more complicated and labor-intensive for organizations than it sounds. 

The IAPP’s Heimes says the requirement means organizations will need to know where all of that person’s data is located, find it, and produce that info relatively quickly. “Depending on the size of the company and the length of the customer’s relationship with it, this access request can be time consuming and complicated – rather like a litigation discovery request,” she explains. “It’s not easy to scale that kind of effort or to staff up for it, especially when such requests arrive at unpredictable times.”

The maximum penalties set out by the GDPR may have received as much attention as any other aspect of the law. The more modest fines are issued for violations of some of the law’s provisions dealing with record-keeping, security, and breach notification. The maximum fine for violating these provisions is €10 million, or two percent of an entity’s gross global revenue.

The largest potential fines are charged for violating provisions requiring a person’s consent to the gathering of personal information, for other violations dealing with the person’s privacy rights, and for transfers of personal data from an EU to a non-EU country. Maximum fines for those violations are €20 million, or four percent of an entity’s gross global revenue.

Many experts believe that there won’t be large GDPR enforcement actions at first, as companies become more knowledgeable about complying with GDPR and regulators scale up their work. Some also believe the first enforcement actions will come against larger companies.

“I think it will be some organization that can take the hit,” says Schrader, from the National Cyber Security Alliance. “The intent would be not to destroy companies but to make sure they’re behaving.”

The GDPR affects a wide range of companies and organizations inside and outside of the European Union, including the following:

•  Those who are based in one of the EU’s 28 member states
• Those not based in the EU but who have customers who are EU citizens and have or collect personal data about EU citizens
• Those not based in the EU who may not directly have EU customers but who work in partnership with other companies that have EU citizen data
• Marketers in the U.S. and elsewhere who are targeting potential EU customers

Smartsheet’s Martinez says that many, if not most, U.S. companies need to comply with the law because “they either want to do business globally or want to do business with another company that’s doing business globally.”

A survey conducted of top security executives of U.S. companies in March 2018 found that they believed the U.S. industries most significantly affected will be, in this order: technology, financial services, online services, and retail and consumer packaged goods. The survey was conducted by Propeller Insights on behalf of Netsparker Ltd., a web applications security company.

The bottom line is that most larger companies in the U.S. have for a while believed that GDPR will significantly affect them. In December 2016, the PwC consulting firm surveyed 200 executives at U.S. companies with more than 500 employees and found that 92 percent either had GDPR compliance as their highest priority or among their several highest priorities. And 77 percent of the respondents said their companies planned to spend more than $1 million for GDPR preparations.

GDPR considers personal data to be any information that can identify a person, either directly or indirectly. The GDPR considers a wide range of information to be personal data. Below is a partial list of the most common examples: 

• Basic identity information such as name, address, and governmental or other identification numbers
• Web data such as the person’s location, internet protocol (IP) address, and “cookie” data that provides information on websites they’ve visited
• Information about the person’s physical appearance
• Health and genetic data
• Racial or ethnic data
• Sexual orientation
• Political preferences and opinions
• Psychological information
• Cultural information 
• Information on their religion or religious practices
• Socioeconomic information

There are certain regular business processes that will likely be affected by GDPR — either for organizations in the EU or in the U.S and other areas outside of the EU. Before GDPR, many organizations asked for and collected email addresses whenever someone visited their website and asked for or downloaded information. The organizations then kept those email addresses for future marketing and communication. GDPR requires people to give their specific consent any time an organization collects any information from them — including email addresses — and must tell them how they plan to use the email address.

“This means that the way your business has collected consent from email subscribers in the past will most likely not be compliant after May 25th,” says Britt Armour, Director of Marketing for Kibii, a company that’s created a social planning app for mobile phones. “The new regulation requires that brands collect affirmative consent that is freely given, specific, informed, and unambiguous to be compliant. This means you cannot use pre-ticked boxes, and must keep consent requests completely separate from the terms and conditions. Businesses will also need to keep evidence of consent that outlines who consented, when they consented, what they were told at the time of consent, how they consented, and whether they have withdrawn consent or not.”

But GDPR isn’t just about collecting data: It also includes guidelines for how organizations communicate internally about customer data. The law will also affect how customer data can be referred to or dispensed through internal company emails, since distribution of that information even internally could be a violation.

 However, there are some instances where GDPR allows companies to gather and process personal data without consent of the data subject, the person attached to the personal information. Those instances include when the gathering and processing is necessary for the following reasons:

• For a contract to which the data subject” is a party 
• For the data controller to comply with other laws
• To protect what the law calls “the vital interests” of the data subject or another person (in other words, something essential for the life of the data subject or other person)
• To perform a task to be completed “in the public interest,” or something that is an official duty of the data controller

Several federal and state laws in the U.S. require reporting of some data breaches. GDPR provisions on reporting of data breaches are different — in some cases, they require more public reporting and in other cases, less reporting.

In general, GDPR does the following:

• Uses a broader definition of data breach to include more categories of “personal data” than U.S. laws include
• Uses a higher threshold for the types of data breaches that must be reported to authorities
• Allows companies a larger “safe harbor” for not needing to report certain breaches (if they had good enough protections in place against breaches)
• Sets out more specific requirements on when breaches must be reported (within 72 hours in many cases)
• Less often requires that breaches be reported to individuals whose personal data may have been compromised
• Sets out the information that must be included in breach notifications
• Doesn’t require or assume credit monitoring services be offered for free to persons whose data was compromised, as is often the case with U.S. breaches
• Doesn’t set up public websites where data breaches are listed
• Requires data processors to report breaches to their clients and the data controllers.
• Requires organizations that have suffered a data breach to document how it happened and the remedial action it will take

In the months and weeks leading up to the May 2018 effective date for the GDPR, many U.S. companies indicated they had a lot of work to do to get ready for it. Many also indicated they had encountered hurdles to being completely prepared. An online survey by the security firms Crowd Research Partners and Cybersecurity Insiders that asked more than 500 information technology and cybersecurity officials in the U.S. found that:

• Many Say They're Not Knowledgeable Enough: While 80 percent confirm GDPR was a top priority for their organization, only about half said they were knowledgeable about the law and 25 percent had “no or very limited” knowledge of the law.
• Lack of Staff and Budget Hampered Compliance: Forty-three percent said their organizations had a lack of adequate staff to ensure compliance, and 40 percent stated their organizations had an inadequate budget to ensure compliance. 
• Substantial Changes Needed: About one-third of respondents said their organizations would need to make substantial changes to their data security practices and systems to comply with the GDPR. More than seven in 10 said their highest priority was making an inventory of their data and determining how GDPR governed that data.

There have been few (if any) definitive surveys on levels of compliance since GDPR became effective May 25, 2018. But there is a widespread belief that many — if not most — organizations are not yet fully compliant. Surveys immediately before the deadline hinted at that likelihood:

• A Ponemon Institute survey in April 2018 found that half of the U.S. companies surveyed said they wouldn’t be compliant by the effective date.
• The Crowd Research Partners survey found 60 percent would be non-compliant on May 25.
• About three-quarters of regulators tasked with enforcing the law surveyed by Reuters in early May 2018 said they weren’t ready for the new law to go into effect because they didn’t have sufficient funding.

When the law went into effect, some international websites blocked users from the EU entirely to ensure they weren’t found in violation of GDPR. Even if and when most companies catch up to a rudimentary compliance with the law, the IAPP’s Heimes points out that compliance with GDPR is not a race with a finish line. She cited one example: Each time a company starts working with a new cloud service application, a privacy risk assessment must be performed and the parties would need to enter a data processing agreement consistent with GDPR requirements. 

“Compliance with the GDPR is not achieved at any one moment in time,” Heimes says. “It’s an ongoing process.”

There are steps organizations should be taking toward GDPR compliance. Here are some important steps that experts recommend:

 Look over the EU’s official GDPR website, read related materials, and get advice from other trusted sources as well. 

• Hire a data protection officer if GDPR requires one for your organization.
• Your DPO can help educate your workforce, if you hire one, “or train up someone internally to be the DPO,” says Heimes. “Then, they need to raise awareness internally about privacy generally and the GDPR specifically.”
• Explore all of your organization’s data, its risks, and what parts of it are regulated by GDPR.
• Perform a Data Protection Impact Assessment (DPIA), which is required by GDPR when your organization is working on a new way to process personal data. The impact assessment is a review of how an organization’s processes and procedures might affect the personal data on people that the organization has collected and kept. 
• Clearly inform people about how your organization collects information and how people can opt out. 
• If a third party is processing personal data for your company, make sure they comply with all GDPR provisions. Understand that your organization can be liable for their GDPR failures.

In addition to the steps above, experts recommend that marketing companies take a few extra steps, since collecting personal data is a daily part of their business:

• Appoint a GDPR lead or create a team within your marketing department to review how your organization handles personal data.
• Provide clear wording about how you require consent to collect personal information, and make sure you create a process to contact parents for consent when collecting personal data of children under 16.
• Consider establishing a communications preference center, where customers can easily manage their preferences on communications from your organization.
• Clearly set out your organization’s privacy policy on your website, and consider using links with theme headings that can guide readers to more information, rather than presenting all of the information in one long web page.
• Create and implement a data breach plan that details how your organization will quickly respond to a data breach, including how it will communicate to employees, the public, and persons whose data may have been compromised.

To get an idea of what it takes to get your company ready for GDPR, you can read here about the preparations Smartsheet took to become compliant.

GDPR is already having a significant effect on many U.S. businesses. Many of those effects relate to the costs and challenges of complying with the law. The PwC December 2016 survey found that 64 percent of U.S. corporate executives said their top strategy to comply with GDPR is to centralize their data centers in Europe. The same survey found that 54 percent of executives plan to “de-identify” or anonymize personal data of Europeans to comply with GDPR. In a slightly different point of view, 32 percent of the survey’s respondents said their companies plan to reduce their presence in Europe, and 26 percent said their companies intended to leave the EU market entirely.

In some cases, U.S. businesses are analyzing how they do business with European customers, or whether they even want to remain in the European market. Here are some of the effects of and responses to GDPR:

• U.S. businesses assume that costs of complying with GDPR will be significant. Heimes said that her group — the International Association of Privacy Professionals — estimated that U.S. Fortune 500 companies would spend a combined $7.8 billion on GDPR compliance, or close to $16 million each.
• It will significantly affect any company’s third-party contracts, with vendors and with clients. Existing contracts with information processors, including cloud storage providers, internet-based software providers and others, will need to require GDPR compliance and assign responsibilities for each party. Contracts with clients will also be affected, as they will need to go into new detail on, among other things, how clients may access and take care with personal data.
  
  Smartsheet’s Martinez says GDPR is now a primary topic of discussion whenever a U.S. company contemplates partnering in any way or doing business with another U.S. company. That means that companies’ security and legal officials are often involved early on in the discussions. 

Why GDPR Could Benefit U.S. Businesses

Even with all of the expenses and troubles, many believe that GDPR — and the significant changes it will bring about in how organizations collect and store personal data — will be a net positive for businesses. Under GDPR, U.S. companies actually may be less likely to suffer extremely expensive data breaches and will be more likely to gain customers’ trust.

“In the end, businesses will hire a DPO, learn a lot more about what personal data assets they have and where they are located, build a stronger trust relationship with their consumers, and likely have more secure data handling practices which, overall, is good for business,” says Heimes.

The United Kingdom’s (U.K.) pending exit from the European Union — referred to as Brexit — is set for March 2019. Until then, the U.K. is governed by GDPR as is any other EU nation. After that, the U.K. will likely be governed by personal data laws almost identical to GDPR because the U.K. Parliament is set to pass those laws.

The pending U.K. law differs in only minor ways from GDPR. All of the main provisions in GDPR would remain law in the U.K. One small difference: If a person requests, social media companies will be required to delete all of that person’s posts that occurred before his or her 18th birthday.

The spillover effect is called the Brussels effect, and many believe it will happen — or is already happening — with the GDPR. The Brussels effect refers to how laws and regulations that happen in the European Union can have an informal effect worldwide. That’s because the population and market importance of European Union states is so large that non-EU entities that do business in the EU find it’s easier to conform their practices to many of the EU laws.

Smartsheet’s Martinez notes that Microsoft recently announced that it planned “to extend their GDPR privacy practices to everybody, regardless of where you live.”

Experts also say the recently approved California Consumer Privacy Act was significantly influenced by GDPR. The California law extends a range of new personal privacy and data protections to residents of the state. Like GDPR, the California law will have a significant effect nationally and internationally because of the huge consumer base of the state.

Experts also predict that GDPR will likely influence the U.S. federal and state governments to approve laws that increase GDPR-like personal data protections, including the following:

• Incentivizing or mandating that personal data be pseudonymized, or stored in a form such that a person can’t be easily identified
• Enhancing notification requirements after breaches
• Requiring security by design practices
• Requiring assessments on how new processes and technologies would affect personal data privacy
• Establishing state data protection agencies to oversee and enforce state laws

GDPR, and trying to comply with it, will also have legal effects and costs. Two of the main ones are described below:

• Potential for class action lawsuits against organizations not complying with the law. Class action lawsuits have been much less common in the European Union than in the United States. But there are specific provisions within the GDPR that allow individuals to create or be part of a group that can file a complaint (and ask for monetary damages) if their personal data has not been protected the way GDPR mandates.
• A boon for lawyers. In part because of the possibility of class action lawsuits, and because of the overall compliance requirements of GDPR, lawyers in the EU, the U.S., and across the world have become busy. One U.K. lawyer told Forbes magazine in May 2018 that some U.K. companies he works with are spending 40 percent of their total GDPR budgets on legal advice.

The Public Remains Concerned about Data Privacy

Besides frantically worrying about complying with GDPR — and the associated costs — business executives should remember that GDPR is trying to address a very real public concern. The public at large remains incredibly concerned about the privacy of their personal data. And when breaches happen, they blame companies that collect the data more than the hackers that hack it.

RSA, a global cybersecurity firm, conducted a survey of more than 7,500 consumers in France, Germany, Italy, the U.K, and the U.S. in late 2017 and early 2018. Below are some of the key findings:

• Sixty-two percent of consumers would blame the company that collected their personal data over the hackers for the loss or theft of that data.
• Forty-one percent of consumers admitted to falsifying their personal data to avoid unwanted marketing overtures or because of security concerns.
• Substantial majorities of consumers say they would boycott a company that repeatedly showed it cared little about protecting customers’ personal data. Eighty-two percent in the U.K. said they would boycott; 72 percent in the U.S. agreed.

The public’s concern about data privacy and data breaches is also reflected in how the financial markets respond to significant breaches. After Equifax announced in September 2017 that cybercriminals had got access to the personal data of more than 145 million customers, its stock price fell by 30 percent in about a week. 

Comparitech, a digital research firm, conducted a study in 2017 analyzing the stock prices of 24 public companies in the weeks and months after an announced data breach. The findings included the following:

• In the long term, share prices continued to rise on average, but at a much slower pace than before the breach. It found a 45.6 percent increase in share price during the three years prior to breach, and a 14.8 increase in the three years after the breach.
• Companies that experienced a breach significantly underperformed on the NASDAQ index — more than 40 percent less than the NASDAQ index after three years.
• Larger breaches had less of an impact on share price than smaller breaches.
• The immediate drop in share price was larger in breaches of especially sensitive data like credit card information and Social Security numbers, as opposed to data like email addresses.

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.