The EU is known for its rules and regulations, and while those in the States can usually look across the Atlantic as a casual observer, the introduction of the General Data Protection Regulation (GDPR) is not one of those times. In May 2018, the European Commission will introduce an entirely new set of standardised laws designed to unify data protection across the European Union and they will apply to any business that operates within those confines too. In a nutshell, if you do business across the EU or plan to do so, it’s time to protect yourself.
The driving force behind these new regulations is the proliferation of high-profile security breaches. In a year which has seen global and American brands alike hitting the headlines for all the wrong reasons, the Identity Theft and Resource Center and CyberScout reported that data breaches saw a 29 percent increase YoY for the first six months of 2017. From Equifax and Hyatt to Yahoo! and Home Depot, it seems like no-one is secure. Needless to say, this has pressed international and American legislators to push businesses to comply, or pay the reputation, loyalty, commercial and now financial, penalties.
The GDPR laws will do just that – overruling national legislation and covering individual rights, data transfer safety and the lawful processing of data – all of which will increase liability and accountability in the event of a breach.
How will GDPR affect my contact centre?
While the new laws seem to be EU-centric, they actually apply to any organisation who deals with any EU individual – whether you have a physical presence there or not. That means if your contact centre markets to, processes the data of, or stores data about anyone in the EU, the GDPR will apply to you. The definition of what consists of personal data under the GDPR is quite broad. It includes any information that relates to an individual, such as names, email addresses, other personally identifying information and any technical information that might be stored. Assuming your business can just fly under the radar is a risky proposition considering how easy it will be to inadvertently break these laws. If you have merely have one EU-based customer, this will apply to you.
What happens if I don’t comply?
The main difference between the GDPR and the PCI DSS is that the former will be enshrined in law. The most significant change and incentive to comply is the severity of the potential penalties that can be incurred. There are two levels of penalties – the lower one presenting a maximum penalty of up to $11.7 million or 2% of worldwide annual revenue of the prior financial year, whichever amount is higher. For the more severe offenders, a fine of up to $21.6 million or 4% of worldwide annual revenue of the prior financial year could be imposed. These new penalties are a strong incentive for companies to comply with the GDPR. U.S. companies used to operating under only U.S. privacy laws will need to embrace this brave new world if they are to avoid these harsh penalties.
If the financial fines weren’t enough of an incentive, EU citizens will now have the right to bring class action lawsuits against organisations who have been deemed to put their personal data at risk.
I don’t work with EU customers, so can I ignore GDPR?
If you definitely don’t work with any EU customers then, yes, you don’t legally have to comply with GDPR. The truth is, however, that it’s highly likely GDPR will become a global standard for data protection in the future. Even if it doesn’t, compliance with the GDPR’s comprehensive rules is your best way to keep your customers, and therefore your own reputation and business, completely secure.
The changes don’t come into action until 2018, why do I need to prepare now?
As with most major regulation changes, the European Commission is giving businesses plenty of time to adjust to the new rules. However, it’s important not to fall into the trap of waiting until the deadline next May to start implementing the change. Installing and testing new systems, training employees, and getting your head around the new assessment processes can all take time, so give yourself as much as you need to avoid being caught out. With 92% of US organisations identifying GDPR compliance as a top data protection priority, you don’t want to be left behind.
If you’d like to discuss the new GDPR legislation and how it might affect your contact centre, speak to our secure payment experts today. We’ll not only suggest a solution to de-scope your payment environment from the requirements of the PCI DSS, but we’ll also ensure you’re fully compliant with the GDPR.