Those businesses that require storing large amounts of consumer data in the EU area have to adhere to the more standard GDPR (General Data Protection Regulation) guidelines. The long expected EU General Data Protection Regulations (GDPR) came into effect on 25th May, 2018 for which any business serving in Europe must be prepared for. American businesses operating or serving customers in the EU must understand what they need to do to prepare for a new reality. Most of these firms rely on data processing services such as forms processing, data capture and OCR Cleanup to manage their huge customer data.
GDPR law, which replaces the 1995 Data Protection Directive, sets the minimum standards for processing data in the EU. Almost every company including technology firms, marketers, and data brokers who hold and process large amounts of consumer data will be affected. With these regulations in place, EU residents will have the power to demand companies to reveal or delete the personal data they hold. This law has also identified a new role – Data Protection Officer (DPO) – that businesses may want to consider appointing, as it may end up being obligatory. This role requires expert knowledge of data protection law and it could be filled by an employee or via a service contract.
It has been reported that companies such as Facebook have promised to follow GDPR throughout their global operations as the price of operating in Europe. In connection to this, Facebook also recently announced they would launch privacy tools to put people in more control of their data. These tools make it easier for users to see and access the data the social network holds on them.
Most Businesses Lack GDPR Awareness – Sage Survey
The latest global survey by Sage provides insights into customer awareness of and preparedness for the GDPR law. This report highlights that many firms do not understand what the General Data Protection Regulation means for their business. Key findings include the following.
- 91% of American businesses lack awareness surrounding the details of the GDPR
- 84 percent don’t understand the GDPR’s implications for their specific business
- Many businesses don’t know whether or not they will need to appoint a DPO to comply with GDPR
- Except certain countries like Germany, almost all regions report the majority of businesses are lacking in understanding
- In France, nearly 2/3 lack confidence they’ll be ready but only 1/3 are afraid they’ll be fined
- However, only a lower percentage of businesses feel they lack the resources to ensure GDPR compliance
All businesses operating in EU member states and serving individuals in the EU have to be compliant to the GDPR rules, either directly or as a third party. While implementing these regulations, American businesses must be aware of certain important factors.
Along with affecting all companies, individuals, corporations, public authorities or other entities that offer goods or services to individuals in the EU, GDPR will also impact charities and nonprofit organizations that collect information from individuals in the EU. Compliance to this law will be closely monitored by supervisory authorities. Violators can be fined up to 4% of annual global turnover or $23,494,300; whichever is more.
What Businesses Must Do to Comply with GDPR Standards
The law recommends organizations to examine and potentially change – how they collect, store and process information for business operations, which ensures the integrity of personal data for individuals. They must also
- Use all available channels – from websites to social media to email, to inform customers that they are taking steps to improve consumer data practices in accordance with the GDPR
- Update privacy policies and place an easy-to-find online FAQ about what the GDPR means for customer data to cover bases
- Review their personal data collection methods and their data processing systems in order to ensure GDPR compliance
- Find ways to dispose outdated data, and safeguard the critical information that is still needed
- Establish a company-wide system for protecting personal data and provide necessary training for each staff member
When it comes to healthcare data, compared to HIPAA, under the GDPR, organizations are required to honor all patient requests to erase personal data. While HIPAA allows healthcare providers 60 days from the time of discovery to inform patients of a data breach, under the GDPR, organizations will have only 72 hours to deliver the news to EU patients.
To be GDPR ready, businesses must also conduct independent audits of all data processes across departments, do modifications to current data operations and use more compliant information technology platforms, appoint and train a Data Protection Officer and launch documentation processes that demonstrate ongoing compliance with the GDPR. While outsourcing their data management tasks to data entry companies, businesses must make sure that their vendors are also aware of this GDPR compliance requirement and can provide services accordingly.
