As the EU GDPR compliance date of May 25, 2018 approaches, there’s an increased focus on GDPR legislation and how it will impact businesses worldwide. And the actual GDPR document is pretty long, clocking out at 261 pages. Surprisingly though, those 261 pages go into a lot of detail but don’t cover it all.
There are still a number of key questions on how GDPR will work, and what ripple effects it will have across various industries and business types. Even though these kinks haven’t been worked out yet, companies are *supposed* to be preparing to comply as much as they can, with the existing information they have. It’s kind of like telling someone to go study for a test with only only a fraction of the applicable textbook and course notes.
The last in our series of posts on GDPR (post 1 here and post 2 here) is dedicated to understanding these big unknowns. Here’s our take:
1. How will U.S. businesses comply with GDPR in practice?
GPDR follows on the heels of the 1995 Data Protection Directive, which formed the initial framework of data protection for EU residents. Things have changed quite a bit since 1995, so it was high time for new legislation.
However, there’s a difference between the 1995 legislation and GDPR: 1995 legislation was a directive, while GDPR is a regulation. The key change there is how specific the EU is with instructions and how data protection is carried out. The 1995 Data Protection Directive provided very specific detail on how EU companies were to process personal data.
GDPR, on the other hand, provides a lot of detail on what the end result of business efforts should be: data subjects should receive clear direction on how to give consent, and they should be able to request, transfer, and erase their data, to name a few outcomes. However, what GDPR doesn’t do is provide specific direction to businesses on HOW to comply.
Complying with GDPR can amount to a pretty massive undertaking, and we don’t expect businesses to take this on individually. However, there is a huge gap to be filled in terms of helping U.S. businesses comply with GDPR in time.
2. Who will supervise compliance in the U.S.?
For companies in EU member states, the supervision of compliance seems pretty straightforward (and easier than it used to be). Under the 1995 Data Protection Directive, each EU member state had it’s own supervising authority. With GDPR, the EU is centralizing supervision under one EU supervising authority.
And that begs the question: what will the supervising authority be for companies outside the EU? The framework is already in place for companies in EU member states, but unclear for companies in non-EU countries. GDPR stipulates that a supervisory authority *could* be some sort of government agency that is already known as a data protection authority. Here in the U.S., that could mean oversight at multiple state and federal agencies.
As it gets closer to GDPR go-live, expect to see more from U.S. government agencies on who will step forward to supervise GDPR.
Related: 5 reasons to pay attention to GDPR
3. How will U.S. businesses hold vendors accountable for GDPR compliance?
One of the really complex parts of GDPR - and a provision that will really drive adoption - is the network effect of vendor compliance. In order to be fully compliant with GDPR, a company must also ensure that all vendors, partners - anyone you do business with - is compliant with GDPR as well (where applicable of course).
As if tackling internal compliance with GDPR wasn’t enough, now you have to (a) find out which vendors and partners fall under the jurisdiction of GDPR and (b) verify that the appropriate vendors and partners are GDPR compliant.
So as a business trying to comply with GDPR, what can you do other than ask vendors if they are GDPR compliant? And what proof can they give you that they are or aren’t GDPR compliant? Right now, the answer is just yes or no, accompanied by a list of proactive steps they’ve taken to become GDPR compliant.
In the future, new data standards are likely to arise in the U.S., similar to already existing security protocols. These standards will allow companies to verify their compliance through a series of actions, and then easily answer to other entities who are asking.
GDPR is continually evolving legislation. How it works in practice may continue to change before the compliance date and beyond. Make sure your business is on the way to compliance - and ready to pivot if needed.