PPB January 2018

Data Redefined | FEATURE branches, satellite offices or data centers in Europe, has never used European contractors, does not own any physical property or equipment on EU soil and has never had European clients or pursued leads in Europe, the GDPR may still apply. Companies with a public website, social media accounts or email servers, regardless of whether a transaction occurs, are subject to the GDPR. Even if a company is based in the U.S. but offers goods or services that collect personal data of a EU resident, that company falls within the GDPR scope. Shamini Peter, chief operations officer for distributor Axis Promotions, says she believes every company in the promotional products industry will see some form of impact from the regulation. What makes GDPR compliance much more challenging than the existing DPD is its stringent codification requirements: Given that all EU residents are protected anywhere in the world, companies with clients, employees or even job applicants who are physically located in the U.S. but who maintain EU citizenship are considered data subjects by the GDPR. If an EU-based individual inquires about a product, the company offering that product falls within the scope of the new EU privacy rules, regardless of whether or not a transaction occurred. Employees visiting the EU and sending work emails with Personally Identifiable Information (PII) will trigger the GDPR. The regulation enforces a broader definition of personal data , which refers to any information that could be used on its own or in conjunction with other data to identify an individual. New examples that have been added to the definition include data extracted from physical objects [computers and smart devices], such as device locations, frequencies and IP addresses. The revised definition was written to be future-proof and therefore technology neutral. The rationale for this approach is to ensure that the protection afforded by the GDPR is not circumvented by advances in technology. The GDPR establishes accountability for data protection across the data supply chain and it is critical for business operations managed by third-party vendors to comply with these regulations. A new study conducted by the RiskIQ Threat Research team reveals that some major U.S. firms still have websites that don’t comply. Under the GDPR, companies are expected to consider the risks inherent in personal data processing and to manage them proactively and appropriately. Research and advisory company Gartner predicts that by the end of 2018, fewer than 50 percent of companies affected by the GDPR will be in full compliance with its requirements. The latest analysis from Veritas suggests that 86 percent of organizations worldwide are concerned that a failure to adhere to GDPR could have a major negative impact on their business, and nearly 20 percent fear that noncompliance could put them out of business. To support GDPR specifications, companies need a comprehensive understanding of their digital footprint, keeping an inventory on every external asset that gains exposure, including: a user’s name; phone number; address; social media presence; photos; lifestyle preferences; location data; and even IP address. EXAMINING THE GDPR Data Subject Rights Along with the expanded definition of personal data, the GDPR also provides data subjects with enhanced, powerful rights about how companies may retain and process their personal data: The right of access allows individuals the ability to confirm whether or not their personal data is being processed, as well as prompt open access. • Companies must provide categories of concern and identify any external recipients that have been or will be exposed to the data. • Companies must disclose the purpose of processing, source of and duration for which the data will be stored under the new regulation. • Companies no longer have 40 days to respond but must act on the request without delay. • Companies must provide this access to the consumer at no charge. The right to rectification provides data subjects with the ability to correct any inaccurate or incomplete information. The right to object processing can be sanctioned at any time by the data subject. • Companiesmust cease processing data for legitimate interests, direct marketing and even researchpurposes. • Companies must have structures in place so that employee personal data can be easily accessed, provided upon request, and reasons behind processing can be justified. The right to erasure is popularly Any company that markets goods or services on a public platform can be subject to the GDPR. | JANUARY 2018 | 85