The European General Data Protection Regulation (GDPR) goes into effect May 25, 2018, and will transform how organizations all over the globe handle personal data. Nick Merker, partner and co-chair of Ice Miller's data security and privacy practice, spoke with SearchCIO at the 2017 ISSA International conference in San Diego about how the regulation will influence U.S. business operations.
In this video, he details how the new GDPR rules empower consumers to take control of their personal data, offers tips about how U.S. businesses can remain GDPR complaint and enumerates the risks that companies will face if they fail to comply with GDPR rules.
Editor's note: The following transcript has been edited for clarity and length.
How do the GDPR rules strive to improve consumer privacy and cybersecurity?
Nick Merker: It does two things. First, it puts more power into the hands of the consumers. If you're an individual and your information is being collected by a company, you can request to have access to your information, you can correct your information and you can ask a company to delete information they have about you. It gives you more power than what you have today under the law.
Nick Merkerpartner, Ice Miller
The second thing that it does is it requires companies to think about privacy throughout the entire lifecycle of new projects and new products they are developing. From day one, organizations have to think about privacy and think about how they're giving rights to the consumers, which has never been done before in the law.
How will the GDPR rules influence operations in U.S. businesses?
Merker: In the U.S. today, there are many companies that are somewhat ignoring compliance with privacy laws, whether it be the laws in the EU or U.S. The new GDPR rules will change that. With the threat of massive fines and the requirements that you have to have, many companies are now coming into the fray and doing things appropriately for privacy that weren't [done] before.
How can businesses ensure that they are GDPR compliant and what steps do they need to take?
Merker: Ensuring that a company is compliant would be a very, very difficult task. No matter what a company does, there's always going to be a little bit of compliance risk, most likely, somewhere. And because of that, what I'm working with clients [on] is to do a gap analysis. The gap analysis identifies what organizations have today and what they need to have under the GDPR rules. We then do a risk assessment with the client on what needs to be done to plug those gaps, or identify risks they are willing to accept. That's the first step that a company has to take to understand what they need to do to be compliant.
Can creating a data inventory help?
Merker: A data inventory is something that every company should consider doing. A data inventory helps with finding where personal information is in your environment, what database it's in, how it's being used, what resources in your company have access to that information -- and it gets it somewhere that's documented. If you have a data breach, you know immediately what the scope of that data breach is based on the inventory. In addition, as new projects and new products start to touch different databases, you know what personal information is at issue. It makes your compliance regime a lot easier to tackle.
What are some of the risks companies face if they're not compliant with the new EU GDPR rules?
Merker: The GDPR has very high fines that are making news -- percentage of worldwide revenue fines -- something that we've never had before. However, I think a stronger driver for compliance is the loss of consumer goodwill. If you're a company that's noncompliant and there's a large decision levied against you or a large outcry from a data protection authority against you, that's going to hit your bottom line in a different way than just a fine. People will no longer trust your business and go to your competitors, and that's really going be a big driver.