PPB January 2018

Who’s Responsible? The GDPR affects every entity handling or using data—in essence, every professional in the modern business era. It is important for companies to keep detailed records on how information is used and stored, as well as documenting decisions made outside of the processes in place. Security The GDPR requires companies to implement measures to ensure an appropriate level of security is in place for processing and relies on the concept of ‘pseudonymizing.’ Simply put, this is a method to substitute identifiable data with a reversible, consistent value. After pseudonymizing, data is no longer directly identifiable, but can still be tied to a specific individual when combined with other data and statistical analysis. Data Protection Officers (DPOs) And Enforcement The GDPR requires Data Protection Officers (DPOs) to be appointed for all public authorities, and where core activities involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large- scale processing of “special categories of personal data.” Though an early draft of the GDPR limited mandatory DPO appointment to companies with more than 250 employees, the final version has no such restriction. EU-member Supervisory Authorities (SAs) will be used to enforce the upcoming GDPR through investigative and corrective powers, including directly against U.S. companies that have a physical presence in the EU. U.S. companies without a physical presence in the EU but that knowingly and actively conduct business in the EU are required to designate a representative located in the EU. Investigative powers allow SAs the ability to undertake any complaint received and employ a wide range of measures, including audits or open access to company assets. Corrective powers include the ability to issue warnings, reprimands and orders to bring processing operations into compliance. SAs also hold the right to impose temporary or definitive bans, withdraw certifications, order breaches to be communicated to data subjects, cease data flows altogether and even levy substantial fines. Fines Along with the strengthened policies, the GDPR codifies a penalty structure for violations. In the case of a privacy breach, the GDPR requires companies to report the incident to SAs within 72 hours of the discovery. Failure to comply with the requirements could result in financial penalties up to €20 million (approximately $23.5 million) or four percent of a company’s global annual revenue, whichever is higher. With the assistance of U.S. authorities, EU regulators can also fine U.S. companies for violating the GDPR. What Now? A recent survey by PwC revealed compliance with the GDPR is a top priority for 92 percent of U.S. companies. While regulatory in nature, the GDPR should elevate core values of trust and relationship building that will enable companies to build on data and gain more value in the marketplace. Failure to implement successful, compliant data protection measures may damage a company’s reputation, customer relationships and, ultimately, its financial security. The promotional products industry alone has seen a 55 percent increase in online sales over 10 years, based on the recent PPAI Sales Volume Study ( Figure 2 ). The study defines online sales as reflecting Figure 2. Promotional Products Industry Sales 2006 2011 2016 10-YR GROWTH INDUSTRY TOTAL NET WORTH* $18.1B $17.7B $21.3B 18% OFFLINE SALES $15.4B $14.6B $17.1B 11% ONLINE SALES $2.7B $3.1B $4.2B 55% *The promotional products industry total net worth is based on actual sales reported by U.S. promotional consultant companies in the PPAI annual Sales Volume Study report.The figures represent an estimate on the promotional sales of U.S. distributors, including both PPAI members and nonmembers. Figures project across the entire distributor popula- tion combined sales for small distributors (under $2.5 million) and large distributor firms (over $2.5 million). Source: 2016 Sales Volume Study (PPAI Research, July 2017) The GDPR affects every entity handling or using data —in essence, every professional in the modern business era. Data Redefined | FEATURE | JANUARY 2018 | 89