A practical guide to the European Union’s GDPR for American businesses

The European Union’s General Data Protection Regulation (GDPR) will take effect next week, on May 25, 2018. The GDPR’s impact extends far beyond existing data protection measures and affects business of all sizes — from solopreneurs to the largest corporations.

A recent survey conducted by Sage found that 91 percent of American businesses lack awareness surrounding the details of the GDPR, while 84 percent don’t understand the GDPR’s implications for their specific business. American businesses operating or serving customers in the EU need to understand what they need to do to prepare for a new reality.

The fact that the GDPR will impact companies far beyond the borders of the EU calls for greater understanding of how the regulation — and related protection of personal data — applies to organizations based outside the EU. In fact, the GDPR has direct implications for a massive amount of businesses worldwide, due to the EU’s vast trading partner roster. From May 25 on, the EU will effectively require all businesses to be compliant if they wish to operate in EU member states and serve individuals in the EU — either directly, or as a third party (read: at all).

Here are a few things American businesses should keep in mind leading up to, and through, the GDPR’s implementation:

Does the GDPR apply to every business with EU ties?

It depends. The GDPR will affect all companies, individuals, corporations, public authorities or other entities that offer goods or services to individuals in the EU or that monitor their behavior there. For example, the GDPR applies to an American company whose website is made available to people in the EU, or a Boston-based HR manager in an international organization that collects data centrally from EU-based applicants and employees. The GDPR even applies to charities and nonprofit organizations that collect information from individuals in the EU.

Will compliance to the GDPR be closely monitored?

Yes. Noncompliance can result in massive fines. In fact, if a company is not compliant with the GDPR by the May 25 deadline, it could face penalties as big as 20 million euros (around $24 million), or 4 percent of annual global turnover — whichever is a higher amount of money. Supervisory Authorities within the EU have “investigative and corrective powers” to monitor and impose these administrative fines. The Supervisory Authorities’ job is to closely observe corporate data practices and strictly enforce punishment if GDPR requirements are not met on May 25 — or any day thereafter.

How will the GDPR impact enterprise data collection and processing?

The GDPR will require organizations with any ties to the personal data of individuals in the EU to examine — and potentially change — how they collect, store and process the information for business operations. Chiefly, however, the law will set a new global precedent around the importance of personal information ownership and consumer protection. Ensuring the integrity of personal data for individuals — not organizations — is a top priority for the GDPR.

What can businesses do to prepare customers or users for the GDPR?

Communicate. Organizations should use all available channels — from websites to social media to email — to tell all customers and users that the organization is taking steps to improve consumer data practices in accordance with the GDPR. Emphasize the company’s commitment to compliance with the GDPR — and the integrity of customer data. Update privacy policies and put together a simple, easy-to-find online FAQ about what the GDPR means for customer data to cover bases.

What can businesses do to ensure that staff members around the world are compliant?

It is crucial for enterprises to review their methods of collecting personal data and their data processing systems in order to confirm compliance with the GDPR’s requirements. That requires the participation of staff across departments. It’s equally important to think about how outdated and irrelevant data will be disposed of, and how to safeguard the critical information that is still needed. A company-wide system for protecting personal data needs to be established and understood by every staff member. At Sage, we introduced a comprehensive GDPR training program for our employees to learn the basics of data protection law and to help our people understand the importance of safeguarding personal information.

Are there any other measures businesses can take to be GDPR-ready by May 25?

In addition to the internal actions profiled above, organizations should consider devoting resources to the following preparation activities: independent audits of all data processes across departments; modifications to current data operations such as the establishment of staff retraining programs and procurement of more compliant information technology platforms; appointing and training someone responsible for data protection matters, possibly a Data Protection Officer; and launching documentation processes that demonstrate ongoing compliance with the GDPR.