Do you do business in Europe? Or, more precisely, does your business collect or use any data from European consumers? If so, mark May 25, 2018 in your calendar as that is when the General Data Protection Regulation (GDPR) comes into effect. Better yet, start preparing today, as you want to examine all your data handling procedures and processes to ensure you are in compliance. The overarching goal of the regulation is to provide EU citizens more control over their personal information. They are able to access their data easier, move it to another service provider, delete it (if there’s no reason to keep it), or find if a company holding their data has been hacked. Simultaneously, the regulation intent is to improve business innovation and create business opportunities. While many think regulation only makes business more complex, rules that clarify and homogenize numerous other regulations across the entire EU are, according to Andrus Ansip of the European Commission, “a major step towards a Digital Single Market”. Significant GDPR Considerations One set of rulesA single EU-wide law that covers all data protection requirementsData Protection Officer (DPO)Large scale data operations and public authorities require a designated DPOOne-stop shopBusinesses deal with one single supervisory authority (from the their primary country)Data protection by design and by defaultDesign and develop new products and services with data protection standards built-in from the start and default to privacy-friendly settingsRemoval of notificationsFor most cases, obligations to notify the DPA (Data Protection Authority) are unnecessary. However, risk assessment and record-keeping requirements still exist for high risk situations. EU-US Privacy Shield & Umbrella Agreement As data protection laws vary country by country, there remains substantial confusion about the exact nature of laws handling data across borders. On a high-level, the GDPR summary states: “companies based outside the EU must apply the same rules when offering services or goods, or monitoring behavior of individuals within the EU.” For US companies, look to the EU-US Privacy Shield, a framework for transatlantic exchanges of personal data. However, as of Feb. 1, 2017, the EU-US Umbrella Agreement, extends judicial redress protections before U.S. courts to individuals living in the EU. It’s an open question if these agreements will withstand Court Challenges, new Laws or Executive Challenges. For example, one of the Trump Administration’s first actions was passing the Enhancing Public Safety order that stated: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Many took this as breaking the Privacy Shield. However, the European Commission recently stated: “The US Privacy Act has never offered data protection rights to Europeans. The Commission negotiated two additional instruments to ensure that EU citizens’ data is duly protected when transferred to the US: The EU-US Privacy Shield, which does not rely on the protections under the US Privacy Act. The EU-US Umbrella Agreement, which enters into force on 1 February (2017). To finalize this agreement, the US Congress adopted a new law last year, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.” They did add though, that they will, “continue to monitor the implementation of both instruments”, indicating that we might not have heard the last of this complex issue. GDPR Checklist To give you some actionable items, here’s a list of steps to prepare your business for GDPR: Prepare for data breachesCreate rules and processes, so if it does happen you’ll know what to do and limit the damageBuild a Data-Safe cultureDevelop policies, implement, train, monitor and assess.Build privacy by designHave privacy in mind from the beginning of any new projectAnalyze your personal data processing frameworkIs consent freely given, specific and informed? Or do you have legitimate interest in processing personal data that overrides right to privacy?Have clear and understandable privacy noticesBe ready for citizen requestsCitizens have the right to be forgotten or to move their dataCheck your 3rd party policies, procedures and contractsWatch cross-border data transfersTransferring private data to countries that don’t uphold the same data protections can end up in significant fines As the world goes increasingly digital, our data footprint, and the ability to analyze it, is rapidly growing. Data protection laws, such as the GDPR, are important to protect us against micro-targeting, surveillance and other data transgressions. They provide legal frameworks to guide data privacy procedures and help businesses understand their requirements and limitations. They provide clear legal ramifications for non-compliance and encourage techniques such as anonymization (removing personally identifiable information) and encryption (encoding messages so only those authorized can read it). They also can cut costs, encourage innovation and increase consumer trust. Data protection laws are necessary building blocks to take full advantage of new digital opportunities, while retaining critical protections. Solutions Trust and Safety Reinforce Customer Trust With Secure, Compliant Onboarding Resources Library Trust and Safety Executive Summaries Building a safer marketplace View All Marketplaces Trust and Safety Featured Blog Posts Individual Verification (KYC) KYC: 3 Steps to Achieving Know Your Customer Compliance AML AML Compliance Checklist: Best Practices for Anti-Money Laundering Business Verification (KYB) Enhanced Due Diligence Procedures for High-Risk Customers AML Sanctions and PEP Screening: A Critical Step in the KYC Process Identity Verification Proof of Address — Quickly and Accurately Verify Addresses Individual Verification (KYC) Top 10 Questions About Beneficial Ownership for AML/KYC Compliance Business Verification (KYB) How to Verify Legitimate Businesses and Merchants Individual Verification (KYC) Customer Due Diligence Checklist — Five Steps to Improve Your CDD