One current and significant issue facing U.S. businesses is the General Data Protection Regulation (GDPR), a regulation in European Union law on data protection and privacy for all individuals within the EU. The law, which becomes enforceable May 25, addresses the export of personal data outside the EU. Its purpose is to protect citizens and their personal data, especially when dealing with international businesses.
Since its inception, the GDPR has raised a number of questions as to whether businesses are properly prepared for the upcoming mandate and enforcement. The GDPR was adopted in April 2016 and allotted a two-year post-adoption grace period for businesses to strategize and implement their compliant approach. With only one month left it has been reported that an estimated 61 percent of U.S. businesses are not ready for the regulation, and that only 67 percent of European-based businesses have begun implementing a GDPR compliance program. As the May enforcement date approaches, businesses are struggling to fully understand the regulation and thus fail to launch a comprehensive compliance plan.
Many have suggested that the GDPR will set the global precedent for data privacy and security regulations. China and Brazil have both expressed interest in forming similar requirements to protect the privacy of their citizens and their personal information from businesses storing and transferring data internationally.
Several retail chains can be identified as “international influencers” by having multi-national brick-and-mortar stores and through international marketing efforts. A well-known example is Whole Foods, an American supermarket chain that previously held over 477 stores in North America and the United Kingdom. In June 2017, Amazon acquired the natural-foods company, making the e-commerce giant America’s fifth-largest grocery retailer. The marketing data obtained through the acquisition provided Amazon valuable behavioral statistics on grocery-buying habits, patterns and product preferences. It is estimated that over 80 million individuals are Amazon Prime members and, with this new data, Amazon can build accurate predictive analytic models that can suggest to prime members what they will want, how much they will want, and when they will want it.
The GDPR places Amazon’s acquired “Whole Foods” business unit under watch for not only its presence in the United Kingdom, but also due to its monitoring of EU data subjects, and attempt to offer them goods and/or services. Amazon’s business practices likely include the use of automated individual decision making against EU customers, requiring consent under the GDPR. Amazon would be engaging in what is referred to in the GDPR as “processing,” which includes actions that can be performed with data, specifically to collection and storage. The retailer must, therefore, have processes in place to honor the district rights awarded to EU data subjects, and be able to operate under the guiding privacy principles.
The regulation further dictates appropriate security efforts around the protection of personal data, establishes breach reporting requirements, and increases the risk associated with vendors processing this data. These expansive requirements make the process of marketing and vendor outsourcing much more complex for anyone with a direct consumer relationship with EU data subjects.
Smaller agencies may not be taking the new regulations as seriously as they should, however, past enforcement actions point to enforcement risk even with smaller businesses. The GDPR states that non-compliant companies posing a risk to EU citizens and their privacy can be fined up to $20 million or 4 percent of their global turnover for the previous fiscal year, whichever is greatest. It is important to note that this fine is per violation.
Companies can take several actions to mitigate their risk. One step begins with the understanding of GDPR regulation applicability to various parts of the business, and understanding each unit’s risk profile to establishing priorities for the initiative. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for processing of this data.
Every industry experiences its own unique risk as well as operational challenges, and within that has its own maturity relative to industry peers. A compliance firm can help to quickly identify both industry and organizational risks that are often overlooked, formulate a plan to mitigate this risk, and setup ongoing monitoring programs to maintain valuable records of compliance.
To adequately prepare for the GDPR and similar regulations likely to be introduced in the future, businesses must begin educating themselves on these regulations, and how they will choose to conquer the requirements. Applicable processes and procedures can obviously help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and in return, earn their trust.