Compliance implications for U.S. entities subject to the data privacy standards imposed by the E.U.’s General Data Protection Regulation
The widely reported data breach at a U.S. credit reporting agency is the most recent reminder that consumers’ personal data is vulnerable to exposure. The “massive” scale of the breach has resulted in calls for regulatory action and new legislation directed toward the whole of the credit monitoring industry and left millions of consumers with a heightened awareness of data privacy and data protection, scrambling to understand how best to safeguard themselves from the potential misuse of their data. Early responses include proposed new regulations from the New York Department of Financial Services that subject credit rating agencies to its data protection/cybersecurity rule, as well as the introduction of multiple bills in Congress that would enhance protections for consumers harmed by a data breach.
As these events unfold in the United States, new data protection standards are set to take effect in the European Union (E.U.) beginning May 2018. The standards, referred to collectively as the General Data Protection Regulation (GDPR), cover the personal data of individuals in the E.U. and will directly impact multinational organizations doing business in and with E.U. countries.
Broadly, GDPR expands the definition of personal data, creates new privacy compliance requirements, imposes large fines and penalties for violations of an individual’s privacy rights, and applies extraterritorially to organizations based outside of the European Union. U.S.-based organizations will be required to comply with GDPR to the extent they handle the personal data of individuals in E.U. countries.
The Point of View paper, Converging U.S. and E.U. data protection requirements, outlines the compliance implications for U.S. organizations subject to GDPR and considerations for optimizing the future state of their privacy compliance.
However, regardless of an organization’s global footprint, these standards and the increased sensitivity of the public to data privacy and data protection necessitate that all firms look to GDPR as best practices by which to evaluate and revamp their data structures, security, incident response, and privacy programs.