On May 25, 2018, General Data Protection Regulation (GDPR) laws were officially implemented to ensure that any company, which digitally collects personal data from European Union (EU) citizen-consumers were expected to be in complete compliance with the regulations established within GDPR guidelines.
In order to be in full accordance with this new regulation, companies must provide, in several ways, a “reasonable” level of protection for personal data. Failure to do so could result in an aggressive fine of whichever is greater: €20 million or four percent of global annual turnover; a punishment that some believe will be eagerly enforced by the respective supervisor authorities of European Union member states.
So, if your company or organization does business with clients’ located within the European Union, what steps must you take to make certain they are compliant with the General Data Protection Regulation?
WHAT IS THE GENERAL DATA PROTECTION REGULATION?
The GDPR is a regulation which prioritizes privacy and data protection for all European Union citizens. However, the GDPR affects all companies that collect the personal data or IP addresses of EU residents, meaning that even companies outside of the European Union must be aware of and respond to the parameters of the GDPR.
In an effort to give web users more control over their personal data, organizations that collect information are now required to:
- Clearly state the reasons why they require a user’s personal information such as an email address and must explain how exactly that information will be used. Any use of opt-in strategies, implied consent or assumptions based upon previously afforded information is now prohibited under current GDPR regulations.
- Understand that any consent is action specific, meaning that permission for access to personal information must be sought for specific purposes and only used for those specific purposes.
- Allow customers to revoke any permissions at any time, collectively referred to as “the right to be forgotten.” Through this process, customers can request to have their personal data removed from a company’s database, which must be completed within 72 hours. Additionally, customers can also request that a company provide a summary of all personal data that they already have on them, which must be completed within 48 hours.
- Notify their customers and the governing authorities of any data breach within 72 hours.
Additionally, organizations with a “large database of EU clients” are also required to employ a Data Protection Officer to track compliance, respond to requests to be forgotten, and maintain file certification and compliance. However, the GDPR does not specify what qualifies as a large database of EU citizens.
WHY IS IT SO IMPORTANT TO BE COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION?
Although the parameters of the GDPR may be intense, the fines and the extent to which they may be enforced are just as serious. As mentioned above, failures to comply with the GDPR may result in a fine of whichever is greater: €20 million or four percent of a company’s global annual turnover.
According to Ovum, a London-based independent analyst and consultancy firm, 52% of companies believe they will be fined for non-compliance. For further context, management consulting firm Oliver Wyman expects that approximately $6 billion in fines and penalties could be collected in the first year.
However, at least throughout the infancy stage of the GDPR, significant and noticeable efforts to comply should protect companies from aggressive penalties.
United Kingdom information commissioner Liz Denham said in a recent speech;
“Hefty fines will be reserved for those organizations that persistently, deliberately or negligently flout the law. Those organizations that self-report, engage with us to resolve issues, and demonstrate an effective accountability arrangement can expect this to be a factor when we consider any regulatory action.”
According to the RSA Data Privacy & Security Report, 80 percent of consumers expressed that the loss of banking and financial data was a top concern, with 76 percent citing the loss of passwords as a concern, as well. However, to reemphasize the importance of personal data protection, and being compliant with the GDPR, the same report indicated that 62 percent of respondents would blame the company for any loss of data, not the hacker and 72 percent would boycott any company that appeared to disregard the importance of protecting their data.
HOW TO ENSURE COMPLIANCE WITH THE GENERAL DATA PROTECTION REGULATION?
Perhaps the first step to ensuring GDPR compliance is to completely understand how this regulation will impact your company, which begins with identifying which aspects of your company will be required to adapt.
The short answer is all of them.
For instance, compliance requires a practical understanding of how, and which, personal data flows in and out of your company.
However, data mapping is an effective way to inventory and analyze the movement of data within your company and should demonstrate the scope of the GDPR.
Next, ensure that both your company and employees have a strong knowledge of GDPR and are aware of any updates regarding GDPR regulations.
Being compliant is an ongoing process that begins with a few basic terms and understanding what types of personal data are protected:
HERE ARE THE TERMS:
- Data Subject – human being whose personal information is processed by a controller or processor
- Data Controller – entity that determines the purposes, conditions & means of processing personal information
- Personal Data – any information related to a data subject that can be used, either directly or indirectly, to identify
- Data Processor – entity that processes information on behalf of the data controller
TYPES OF PERSONAL DATA PROTECTED BY GDPR:
- Basic identity information like name, address & ID numbers
- Web data like location, cookie tags, IP address & RFID tags
- Genetic and health information
- Ethnic or racial information
- Political beliefs
- Sexual orientation
Truly understanding the GDPR also means accepting the financial impact of compliance. A PricewaterhouseCoopers report stated that 68 percent of U.S based companies anticipate spending $1 million to $10 million on GDPR preparation, with another 9 percent expecting to spend more than $10 million. However, while the up-front investment and continuous overhead may be expensive, the alternative is certainly far less favorable. Cost of compliance and set up could include:
- Employed data protection officer and GDPR compliance team
- Continuous audits of data flow and systems
- GDPR compliance training
- System or policy redesign
- Penalties and fines
Finally, be sure to always acknowledge and appreciate the importance of privacy and personal data.
HOW DOES GDPR AFFECT THE TRANSLATION INDUSTRY?
To maintain GDPR compliance, it is necessary to ensure that any contracted language service company (LSC) or freelance translators completely understand the responsibilities placed upon them, as data processors, as well as the responsibilities placed upon your company, the data controller.
For example, if an LSC subcontracts a freelance translator to complete a part of the project, such translator become a ‘sub-processor’ of that data. Therefore, all freelance translators must ensure absolute compliance with the requirements that both your company and the LSC, who are providing the work, adheres to. Even in instances where the LSC is EU based but the freelance translator is not, both parties are still required to meet all GDPR compliance requirements. In the unfortunate event of a data breach, identifying and understanding these differences will be imperative in determining where the responsibility lies.
It is also imperative that both data processors and controllers understand how to best handle data, once it has been processed. Unless they are legally required to do otherwise, which is a rarity, processors are expected to purge all applicable personal data, once payment for services have been finalized. Appropriately prioritizing data protection is integral to GDPR compliance and, just as any company should be wary of any LSC’s or freelance translators that do not completely understand the data protection expectations placed upon them, freelance translators and LSC’s should be equally wary of any company that does not address or outline data protection issues and expectations in their initial offer or contract.
For more information on the General Data Protection Regulation, or for help understanding how Bromberg & Associates can help your company achieve and maintain compliance, consider our compliance training solutions and website localization services.