EU's GDPR: What Will American Companies Have To Do To Comply?

Starting next spring, the European Union will begin operating under the General Data Protection Regulation (GDPR). Once it becomes enforceable in May 2018, the law designed to protect consumer data will have wide-reaching effects that touch companies well beyond the European border.

Organizations anywhere in the world that do business with citizens in the EU will have to comply with the new regulations. For many, especially companies in the United States that have consumers in the EU, GDPR will require making some significant changes in order to comply.

Read: Europe's Sweeping Data Privacy Reforms Put Google, Facebook And Apple In Regulatory Crosshairs

While 10 months may seem like plenty of time for an organization to cross the t's and dot the i's, GDPR will present some hurdles as companies attempt to reach a state of compliance—especially as fines of up to four percent of global revenue loom for those who fail to operate under GDPR’s requirements.

Get An Early Start On Compliance

Organizations shouldn’t make the mistake of waiting until the last minute to comply with GDPR. The new regulation doesn’t require just getting a new certification or adding a simple disclosure—it requires companies to fundamentally change how they collect and manage consumer data.

At its core, GDPR is designed to protect personally identifiable information by strengthening and unifying the standards for data storage inside the EU and addressing how data from citizens of the EU can be used by organizations elsewhere.

For American companies that do business in the EU, they will now have to keep those consumers’ information on servers within the EU rather than bringing that data back to servers based in the U.S.

"For every company that sells to a customer in the EU, you now have to set up a different instance or a different hub where your data can be stored that cannot be accessed or shared outside of the EU,” Monica Eaton-Cardone, the founder and chief operating officer of Chargebacks911, told International Business Times.

“This really is presenting a significant challenge for lots of CRM (customer relationship management) companies, individuals in the payment industry and retail merchants," Eaton-Cardone said.

Read: U.S.-EU Privacy Shield: Trump Executive Order Puts Privacy Agreement In Jeopardy

It’s not just merchants and sellers who will be subject to the changes. Colleen Huber, director of cyber education strategy at MediaPro, told IBT even organizations that don’t have direct operations or sales in the EU may be subject to GDPR.

“GDPR compliance is required for organizations that provide services or goods to the —even for free,” she said. “With today’s cloud-based technology, organizations of all sizes and across all industries could potentially fall under the scope of the GDPR.”

Eaton-Cardone warned that changes required by the GDPR will likely be burdensome on organizations, as it will require establishing new operational practices for handling data within the EU. That means new protocols for collecting, maintaining and handling that information that will likely have to meet a higher standard than the one currently in place for businesses based in the U.S.

Eaton-Cardone also doesn’t expect that U.S. companies will bring home the practices required to comply with the GDPR, meaning they will have to maintain two separate standards.

"In many ways, a different set of rules acts as a barrier, she said. “Now you have two independent organizations operating independently and you end up with more separation….You're making the two areas more different, not less."

Given the amount of change companies will have to undergo, there is no time to wait to begin working toward compliance. A recent survey found nearly one in four small businesses in the United Kingdom and 10 percent of companies with more than 500 employees have yet to begin preparing for GDPR.

The figures are likely higher for U.S. businesses that may be unaware they will be affected. It isn’t too soon to start working toward meeting the requirements—especially when waiting may lead to massive fines.

Don’t Forget About Employees

While a major part of GDPR focuses around how companies treat consumer data, organizations will have to do more than just make sure they are compliant with those requirements. They will also have to inform their workforce of the new rules and make sure employees are properly trained to handle data.

One of the requirements of GDPR—albeit vaguely defined—is for companies to “raise awareness” of and “train” theirs workforces on how to handle data while operating under the new law. Even if it wasn’t mandated, educating employees will be an essential, if not overlooked, aspect of following GDPR.

“One of the biggest impacts of the GDPR is the requirement of some level of training for any staff with access to personal data,” Huber said. She explained the best thing organizations can do to get ready for GDPR is “to start the conversation early” and invest in training and educational materials that prepare employees for coming changes to data processing procedures.

Huber said the process will require “an organization-wide initiative” that will involve all levels of the company. It’s not just those sitting in executive suites who need to know the rules of GDPR, it’s those maintaining servers and operating the day-to-day operations of data storage. If they are unaware of the requirements and continue to operate as if nothing has changed, it could put the company at risk of being hit by sanctions or fines.

Be Ready For Hiccups

Like any rule or regulation, GDPR will present companies with some problems as they work toward compliance. This is especially true for companies operating in the U.S., as the data requirements present a central change in how data is to be treated.

"We have an industry that has really catered to consumer demand to remove friction [in transactions] and we're employing some additional friction in these processes," Eaton-Cardone said.

She explained that tools enjoyed by consumers like one-click checkouts may not be available under GDPR because consumers have to provide their consent to purchase products rather than allowing a company to store their information and immediately recall it for them.

"The amount of information that is put up publicly is astonishing,” Eaton-Cardone said, noting companies like Facebook and Google have been built off of data. While those services are unlikely to change, GDPR will present a shift in how consumers can control their own data and how businesses can interact with it, and those changes will create some bumps in the road.

Because there aren’t checkpoints in compliance along the way before GDPR goes into effect, there also runs the risk of some confusion once the rules becomes enforceable. Huber warned the change in business operations “may feel like a major change” and could be “chaotic, even,” especially for those who aren’t prepared.

There will also be some confusion along the way as to how parts of GDPR will be enforced. It isn’t entirely clear how the EU will be able to enforce sanctions on U.S. based companies—especially those that don’t do direct business within the EU. Eaton-Cardone also raised concerns about rules that have dubious plans for enforcement.

She noted GDPR will require organizations to not host any data from minors without consent from parent or guardian despite the fact there is no clear way to prove consent was provided from one of those parties. "We can barely even prove the customer who made a purchase online was even the actual card holder," she said.

Because of the possible complications of GDPR, companies also may opt to avoid the EU rather than risk failing to comply. "I think it will definitely create some barriers with regard to a lot of the market progress from the U.S. into Europe," Eaton-Cardone said.

"We need to make sure we have enough friction that our privacy is protected," she said. Only time will tell if GDPR provides the correct balance of privacy and convenience or if it will create too much of a burden for companies to comply.

​