GDPR: What it is and Requirements for US Companies
Once upon a time, anyone with a text editor and a server could toss together an Internet shopping cart and start collecting credit cards. Novelties like encryption and access control were optional. It was the digital wild west. We all suffered, like innocent bystanders stuck in a hacker shootout.
Payment Security: A High Priority
Security breaches exposed identities by the millions. Target, Home Depot, Sony, and others make a "who's who" list of corporate hack victims. In response, the Payment Card Industry (PCI), a consortium of payment processors, banded together to create security standards for merchants. These standards came with hefty fines for violators and eventually created an Internet culture where payment security is finally a high priority.
What is GDPR?
The European Union (EU) passed the General Data Protection Regulation, commonly known as GDPR, in April 2016 but wasn't widely adopted and enforced until 2018.
This set of regulations is similar to PCI, but with some notable major differences. Unlike PCI, GDPR was created by a government entity with more far-reaching legal authority than a corporate consortium.
Also, where PCI focused on payment processing security, GDPR has a broad scope that covers all manner of Personally Identifiable Information (PII). PII is personal information, such as a name or social security number, used to identify and distinguish between people.
The regulations have shocked the digital world; indeed, GDPR grants the Data Protection Authority the power to fine violators up to 20 million euros or 4% of annual turnover.
Does GDPR Apply to Companies in the US?
Some have noted the regulations protect only EU "Data Subjects," yet this limitation in scope is not at all a free pass to American companies. An EU Data Subject is any EU citizen, regardless of their place of residence or physical location.
This means that if you are a US company that possesses data on any EU citizen then you must be in compliance with GDPR.
Some have questioned the legal authority of the regulations—how could a regulation in Europe exercise any control over a company based in the United States?
But US-EU trade agreements give each government legal authority to issue judgments when corporations or citizens violate laws, so GDPR is nothing new in this regard.
One might argue that the definition of PII can mean many things to many people. While true, that point of view fails to exempt one from GDPR, which has a specific and clear definition of what constitutes PII.
In the US, an IP address is generally not considered PII, while it is considered PII under GDPR.
Much like PCI, GDPR mandates a combination of technology and policy to keep PII safe. GDPR establishes rules about the methods used to capture data, the notice you give to data subjects, the ability for data subjects to see and erase their data, who can access the data, and what needs to happen when the data is hacked – just to name a few.
GDPR Compliance Checklist for Companies in the US
GDPR compliance is a big deal. This is why we help our clients achieve GDPR compliance through a GDPR plan but for companies who want to check on their own, we put together this checklist that will take you through the important steps to make sure you are adhering to the rules set forth by GDPR.
1. Do you have personal information (PII) on any EU citizen?
The first step is to determine if your company has any personal data on an EU citizen. If you do, then continue to the next questions.
2. Do you process this data to offer goods or services to these individuals?
If you are using this data to offer goods and services then GDPR laws need to be followed.
3. Why are you processing their data?
Once you decided you are in fact processing an EU citizen's personal data, you not only need consent but need to make sure you are telling them why you are processing it. What are you using it for and how will you be using it?
4. Is data privacy a top organizational priority?
This is something your organization should already be doing but to comply with GDPR, your company needs to understand the risks and ramifications if data was breached but also you need to make data security an organizational best practice for everyone.
It is important to do all you can as an organization to prevent data breaches.
5. Do you have someone whose role focuses on data privacy?
A requirement of GDPR is for organizations to have someone in charge of ensuring data protection and privacy. If you are a large organization, make sure you have someone like a data protection officer.
6. Do you have a plan when a data breach occurs?
It is important for your company to have a plan in place so when a data breach does occur, everyone knows their role and responsibility. It is important to always encrypt your data so it reduces the chances of being exposed during a breach.
7. How do you handle data processing with your vendors?
Did you know that you could be held partially responsible for how a vendor handles personal data? Most companies use vendors like cloud storage providers, hosting partners, or email providers that must use the data you collect. If these vendors violate GDPR, you could also be held responsible. This is why it is important to have some type of signed agreement that keeps each side accountable for ensuring data privacy.
This list does not include everything you must do to comply with GDPR. Every organization is different so it is important that you do your research and check out the GDPR website and these helpful checklists they have to ensure compliance is met. https://gdpr.eu/checklist/
PCI and GDPR Make the Web a Safer and Better Place
Before PCI, the web was a more dangerous place. Although PCI created quite a burden for merchants, that burden ultimately proved worthwhile. Thanks to PCI, the web is a safer place to make payments today. In the same way, GDPR- gives all of us an opportunity to step up and make the web better.
Fortunately, Smooth Fusion is equipped to use tools provided by Microsoft and other technology partners to help our clients achieve GDPR compliance (check out our GDPR Plan). Azure, SQL Server, Office 365, and other Microsoft technologies give developers powerful tools to fulfill the GDPR regulations and ultimately give our customers a safe, secure experience.
Resources: General Data Protection Regulation (GDPR) - Investopedia
Article updated on October 2021.