The General Data Protection Regulation expands the scope of enforcement to include a number of companies that are not based in the EU, but regularly do business with EU data subjects. The GDPR's expanded scope not only affects those businesses, but also the businesses that provide processing services to them. Those processors should be prepared to assure their business partners that they take data protection seriously.
The General Data Protection Regulation expands the scope of its enforcement activities to businesses that do not have an establishment in the EU, but offer goods or services in the EU, as well as those who monitor the behavior of individuals in the EU. This is unlikely to change the positions of larger companies that already have establishments in the EU. But a number of other companies that do regularly offer goods and service to Europe, but do not have a physical presence in the EU will be changing their business practices to come into compliance with the GDPR.
The obligations those data controllers face include obtaining assurances from their business partners that process their data. The controller of the personal information must obtain sufficient guarantees from their subcontractors that they will also meet the Regulation's requirements and ensure the protection of the rights of the data subject, per Article 28. Taken together, this means companies that come under the GDPR's jurisdictional expansion will have to take closer look at the agreements and privacy practices of their contracting partners.
This makes GDPR compliance not so much a legal issue for those companies, but a business issue; a processor that is not ready for the GDPR may find itself losing business to competitors that are better prepared. With only months to go before the GDPR enters into full force, it will be difficult for the company that is just starting to achieve perfect compliance. However, there are number of steps that a processor can take that will give its potential GDPR-compliant business partners confidence in your data protection measures.
Take an inventory of the personal information in your care
Step one is knowing what personal data you have and knowing where it is. In this context, the priority will be how the processor handles the data of its business partners. The processor will need to know what types of customer data its stores, where it stores the data, and how and when employees access it. Often, this is a process that may take months or years. But even a general overview of the type of data that a processor collects can be helpful to evaluate what its business partners will need to meet its legal requirements.
Think about your data lifecycle
Both the right to be forgotten and the general principles of the GDPR require the disposal or return of that personal information when either the contract ends or when the personal data being used is no longer fit for purposes it was collected for. The business working towards GDPR compliance will ask about your exit plan and how a potential processor is prepared to address those issues.
Know and document your data security measures
Most U.S. businesses typically have some data security measures in place to protect at least some types of personal information. But under the GDPR, data controllers must show that their processors maintain adequate data security measures in order to do business with them. Business partners will almost certainly ask for some documentation of the processor's data security measures. Ideally, a processor should have a document that lists technical, organizational and administrative measures that it can feel comfortable sharing with its current and potential business partners.
Have an incident response plan
While it has always been a good idea to have a written plan to address data breaches, this requirement is made even more urgent because the GDPR requires data controllers to notify EU data protection authorities in the event of a data breach. Unlike the U.S. data notification to consumers, which covers a limited scope of personal information and is typically expected to take up to 30 days, the GDPR requires a controller to notify its regulator within 72 hours after it becomes aware of the breach. Processors, in turn, must notify affected controllers without unreasonable delay. With timetables this tight, it is imperative to have a plan in place to quickly identify a data breach, determine its cause and scope and notify business partners.
Have a knowledgeable point of contact for privacy issues
The typical U.S. processor will not need to meet the GDPR's stringent data protection officer requirements. However, contracting partners might need information to address both customer and regulator requests in a prompt manner. Having a knowledgeable point of contact that can help data controllers quickly respond to those enquiries will be helpful for their GDPR compliance and maintain better customer relationships.