In April 2016, the European Union parliament approved the General Data Protection Regulation — a new and comprehensive set of laws which must be adopted by all 28 EU member countries by May 2018.
GDPR was designed to give EU citizens full control over their personal data and establish a consistent standard for how organizations and businesses secure that data across the EU. In turn, the new set of laws is meant to simplify the regulatory environment for international business.
But even if your company is based outside the EU, GDPR compliance may mean some changes are in store for the way you operate. To find out more about what GDPR means for businesses outside the EU, I sat down with Robert Sawyer who oversees marketing responsibilities for the managed security offering at Rackspace and who has been following this issue closely. Here are some of the questions I asked:
So let’s say my company is based in the U.S., what does GDPR have to do with me?
Good question! If you aren’t in the EU, it’s less about where you’re based and more about where your customers are. Does your company do business internationally? Do you have offices in an EU member country? If you answered yes to either of those questions, GDPR will impact you. Net: if your company stores any data relating to EU citizens, it is subject to regulation.
That sounds complex, are there a bunch of new regulations coming that will affect international businesses?
Because GDPR will extend the scope of its EU data protection law to all foreign companies processing data of EU residents, things should actually become easier for non-EU companies.
When it comes to customer data for people who reside in the EU, your company will be expected to adhere to one set of standardized data protection regulations. While it may mean a change in the way you currently do business, you won’t need to wade through a minefield of differing rules depending on which country you’re working with, so in that sense, it’s easier.
There’s a great article on our UK blog site featuring an interview with Rackspace Security IT Director Dee Richartz. While it covers GDPR from the perspective of an EU member country, it also addresses general client concerns, next steps and it will provide you with the basics of what this legislation looks like.
What will be the consequences for my company if we violate GDPR compliance?
This remains to be seen as the laws have yet to be implemented, much less enforced, but even U.S. companies with EU customers — including ecommerce companies with global customers — are on the hook for keeping that customer data GDPR compliant.
This will mean different things for different companies, but the big takeaway should be: don’t ignore GDPR. Becoming compliant is straightforward, dealing with non-compliance could get messy.
What’s the best way to approach compliance?
First, get familiar with GDPR and figure out how much of an effect it’s going to have on your businesses. Next, I think it’s important to game out a tactical plan for how you’re going to get there.
The deadline for GDPR compliance may still be several months away, but the time will go quickly. Businesses need to plan their compliance strategies right now and give themselves enough time to put the right technologies in place, iron out any flaws and stay ahead of the curve.
Further, companies like Rackspace can help. We store and transmit millions of data files on behalf of customers all over the world. As part of our Rackspace Managed Security team, we have security professionals in the U.S. and the EU, who can help decipher some of this stuff and make suggestions for how a particular business might approach GDPR.
Thanks for your insights Robert, this has been great!
Visit Rackspace to find out more about our managed security offering and the ways we can help your company become GDPR compliant.