What U.S. Businesses Should Know About GDPR and 5 Steps for Improving Compliance

What U.S. Businesses Should Know About GDPR and 5 Steps for Improving Compliance

March 19, 2018

Updated March 13, 2023

Don't get burned by General Data Protection Regulation (GDPR) noncompliance. Even though it’s a European Union-based data protection regulation, it should still be considered by U.S.-based companies that process personal data from people located in Europe. Here’s what you need to know about GDPR and the steps you can take to improve your privacy posture from a GDPR perspective.

What Is GDPR?

GDPR is the EU’s data protection law that was created to protect the personal data of people in Europe and give them greater transparency over how their personal data is used. Established March 25, 2018, GDPR sets guidelines around the processing of personal data and holds companies responsible for the way they manage the personal data. If GDPR applies to you, your organization could face severe penalties and fines in the event of non-compliance — up to €20 million or 4% of worldwide turnover for the preceding financial year, whichever is higher.

GDPR is a global privacy standard. Many countries apply its general approach to their local privacy regulations. Understanding the requirements and complexities of GDPR and integrating them in your privacy program will help you bolster your current privacy posture, improve your positioning in the global privacy landscape and may save you time and significant costs.

5 Steps You Can Take Today to Improve GDPR Compliance

Here are five steps you can take now to prepare your company for GDPR.

1. Assemble a team to evaluate current privacy practices

Appoint a team of privacy experts to assess your current privacy posture, which includes an evaluation of relevant privacy and cybersecurity documentation and practices to determine whether they align with the GDPR requirements and best practices. This will help you to ensure that your privacy program is transparent and up to date, as well as to address any potential vulnerabilities and gaps. One way to evaluate the privacy posture of your company is by performing a privacy assessment using the National Institute of Standards and Technology Privacy Framework (NIST PF) since it contains standards and best practices for managing privacy-related risks.

2. Create a data inventory

It is critical to keep track of the personal data you collect and classify it appropriately. Personal data processing records should be created and kept up to date to keep track of the type of personal data that is processed, where it’s being processed, why and who has access to it. From there, companies can take the necessary steps to improve their privacy program, such as ensuring proper review of third parties (e.g., vendors), proper implementation of marketing programs, proper communication with the data subjects and the development of an action plan to shore up these areas. There are many automated solutions that can streamline this entire process and capture key data points such as:

  • What personal data do you process?
  • Why is this data being processed?
  • Where do you store the personal data?
  • Who has access to the personal data?
  • Is this personal data being transferred? If so, where?

It's crucial to know how personally identifiable information flows through your systems so that you can properly process and secure it.

3. Create and/or strengthen your cybersecurity and privacy strategy

If your organization has or aims to have a global presence, it is essential to have a uniform privacy and cybersecurity strategy. As previously mentioned, the GDPR approach and fundamental principles are often used as a global standard for such initiatives. Implementing proper cybersecurity and privacy protocols now and knowing how to structure your global privacy program will help you achieve cost-efficient remediation processes and avoid patch work, potential noncompliance costs and reputational damage down the line.

4. Remediate existing gaps and ensure efficient privacy management

Take charge of your cybersecurity and privacy management. Establish a plan to:

  • Identify existing gaps and solutions that are in accordance with your privacy strategy
  • Implement a privacy by design approach (including by documenting Data Protection Impact Assessments) to identify and reduce data privacy risks
  • Develop and implement processes to properly address data subject rights, including the "right to be forgotten," the "right of access" and the "right of rectification." (See GDPR’s “What are your data protection rights?”)
  • Evaluate third parties from a privacy perspective prior to onboarding them
  • Ensure that personal data breaches are properly addressed

5. Implement training programs

To ensure compliance with GDPR across your organization, implementing comprehensive training programs for all employees who handle personal data is key. Include training programs such as:

  • GDPR introduction and refresher training to cover key GDPR concepts, compliance responsibilities and data protection requirements
  • Recurring personal data breach related training to make sure that your employees are aware of their personal data breach reporting obligations
  • Privacy training directed to your executive management and/or board
  • Training concerning data subject rights
  • Training concerning evaluation of third parties from a privacy perspective
  • Cybersecurity and privacy general and specialized training

Ensure that your training programs are ongoing and regularly updated to reflect regulatory changes and any emerging best practices for data protection.

Final Thoughts

GDPR is complex and many businesses are still getting up to speed with the requirements. Given the potentially steep penalties, it’s in your best interest to get your compliance in order sooner rather than later. By taking the steps outlined above, you can put the right controls in place to mitigate compliance risk and effectively protect personal data.

To learn more about preparing for GDPR compliance and ways to navigate other business disruption, contact our data privacy experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News and Insights
Unlocking Patient-Centric Care: Harnessing CRM, Data Analytics & AI
Learn how the right CRM can transform patient experiences.

September 28, 2023 | 10:00 AM - 10:30 AM PT
Data Governance: A Guide for Managing Enterprise Risk
Learn why proper data governance is a critical component of managing enterprise risk.

August 03, 2023
How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs
Maintain regulatory compliance, reassure stakeholders and safeguard your organization against evolving risks.

May 16, 2023