If you have spent any time watching Mark Zuckerberg being questioned by the House and Senate committees, then you heard him say that the changes Facebook is making to its privacy controls in order to comply with the E.U.’s General Data Privacy Regulation will be “available” worldwide.
When GDPR goes into effect May 25 – less than four weeks from now – any U.S. companies doing business in the European Union must comply with the regulation’s strict privacy requirements for citizens living there, with very high fines for noncompliance. According to Internet usage statistics for Western Europe, as of June 2017 Facebook had over 252 million users. So Facebook has clearly put in serious legwork getting prepared for GDPR, as all organizations that receive and process EU citizen data should.
In an earlier blog post we pointed out you didn’t need to panic if you were already taking steps to ensure compliance with other regulations governing privacy, such as the PCI Data Security Standard for handling customer credit card data and HIPAA’s patient data protection requirements.
Do you already self-certify that you’re in compliance with the Privacy Shield Frameworks? These are the mechanisms agreed upon by the U.S. Department of Commerce and the European Commission, as well as Commerce and the Swiss Administration, for U.S. companies to comply with data protection standards when transferring European residents’ personal information to the U.S. as part of transatlantic transactions.
All of these together don’t mean you’re meeting all of GDPR’s standards, but it does mean your organization already is familiar with the kind of measures that need to be taken. Particularly with Privacy Shield, your organization will have a solid understanding of GDPR’s goals.
If you’ve already moved to implement GDPR protections, great, but there are three considerations you shouldn’t overlook:
- Under this regulation, your organization is also responsible for third-party processor breaches. That is, if your company uses a partner to process information and that partner is not complying, you are also guilty of non-compliance.
- You should be asking your partners where they process and store their data. If they have European operations, you need to ask what they are doing to meet GDPR requirements.
- Another thing to consider: No one knows yet just how the E.U. will conduct its compliance monitoring, but investigations are likely to be instigated in response to complaints of noncompliance. As MarTech Today put it, “This process could leave you vulnerable to malicious reports from underhanded competitors. Your best defense is to be aware and prepared.”
Americans are beginning to pay a lot more attention to issues of privacy and control over their personal data. As your organization responds to the expectations of GDPR, you may want to consider whether it makes sense to maintain two different privacy standards – a stringent one for your E.U. customers/users, and another for everyone else.