Printer Friendly

GDPR: WHY COMPLY?

As one can imagine, data is like a credit department's Ark of the Covenant: Customers must agree to openly share their information with credit managers, who may then use it to set and maintain the foundation of the business relationship. The metaphorical concrete structure of the creditor-debtor relationship is trust. The slightest crack in the foundation can cause a ripple effect of data misuse and exposure. Now in full swing, the European Union's General Data Protection Regulation (GDPR) requires companies worldwide to ensure the informational foundations are up to code as they learn to adapt to the new data regulation and find the strategies that work best.

Even before GDPR was implemented, a vast majority of companies around the globe were not optimistic about meeting the May 25, 2018, deadline, The data keepers are now not only required to inform regulators of data breaches within 72 hours, but they have to be transparent with businesses about what, when, where, why and how data is collected.

"For many years, it's been, 'How much data can we trick people into giving us?' and 'We'll figure out how to use it later!'" said Jason Straight in the article, No one's ready for GDPR, published by The Verge. Straight is an attorney and chief privacy officer for legal service provider UnitedLex.

"That is not going to be an acceptable way to operate anymore under GDPR," Straight explained, "There are some companies we've talked to where they say, 'Are you kidding? If we told them how we were using their data, they'd never give it to us in the first place.' I'm kind of like, 'Yeah, that's sort of the point.'"

One of the latest GDPR surveys by IT Governance found that among more than 200 firms in the EU, only 29% have plans to address the regulation within their organization. This comes as surprising news considering about 60% of respondents said they are "aware" they must abide by the regulation's standards.

"It is discouraging to see so many organizations understanding the GDPR and its applicability to their businesses but failing to comply," Alan Calder, founder and executive chairman of IT Governance, said in a statement, "May 25 should have been the wakeup call, but it's not too late to begin your compliance journey, The time is now."

In September, 2018, a summer survey of 600 respondents found only a mere 21% of U.K. and U.S. companies combined were compliant under the regulation, the remaining 79% claiming they were held back by the high costs and complexity of implementation. Hitting their stride the most was the EU, where twice as many companies were compliant compared to the U.S. But with four years of talks and an additional two years to implement, why are so many companies still not compliant? According to experts, the trouble stems from cost and complications.

The GDPR Compliance Status: A Comparison of U.S., U.K. and EU Companies report found nearly 70% of respondents spent more than six figures--anywhere between $100,000 and $5 million--to meet the regulation as of September. Respondents were from various industries, including retail, finance, technology and manufacturing. The study was completed by TrustArc, a technology and security company, in collaboration with Dimensional Research.

About the same number of respondents also said they planned to spend another six figures to reach full compliance before the end of 2018. The U.S. had the largest compliance budget among respondents, 15% having a budget between $1 million and $2.5 million.

The results indicated compliance was worse than anticipated when compared to an April 2018 survey by international law firm McDermott Will & Emery and independent data protection researcher Ponemon Institute, The Ponemon survey concluded that more than half of U.S. and U.K. businesses wouldn't be compliant by the deadline. However, there was some improvement over research conducted in August 2017. In the TrustArc survey, more than half of respondents were in the process of becoming compliant.

"The number of companies whose GDPR implementation is underway or completed increased from 38% to 66% in the U.S. and from 37% to 73% in the U.K.," the TrustArc study states, "Comparing U.S. against U.K. companies in terms of being fully compliant, U.K. companies have made greater progress."

Enforcement of hefty fines is slowly becoming a reality for noncompliant companies at lower and upper levels, Determined by the nature of infringement, the GDPR website states, lower level companies face fines of up to 10 million euros or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, Similarly, those at the upper level are fined up to 20 million euros or 4% of the worldwide annual revenue of the prior financial year.

"To put that in perspective, a 4% fine on Amazon would be $7 billion," The Verge reported. "Interestingly, since a company like Amazon reports huge revenues and relatively small profits, a 4% fine could cost them over two years of profit."

According to an October article by Lexology, Canadian data analytics firm AggregatelQ Data Services became the first firm to face GDPR's hefty fines, The article cited the U.K.'s Information Commissioner's Office's (ICO) finding that the company had used data of U.K. residents to "target political advertising at voters prior to elections." ICO noted the data usage likely caused "damage or distress" and gave AggregatelQ 30 days to comply with GDPR or pay a fine of up to 20 million euros.

In early August, financial publication CFO reported a low number of companies planning to "wait and see" what sort of fines they might face before implementing the regulation. The respondents participated in a webcast by Deloitte Risk and Financial Advisory, whose managing director, Rich Vestuto, said companies are having trouble believing such fines will happen.

Various challenges plague respondents, ranging from insufficient budgets to limited knowledge and understanding. TrustArc's compliance survey found the complexity of the regulation was the top challenge, more so in the EU (72%), followed by the U.S. (69%) and U.K. (58%).

Meanwhile, many respondents claimed they were behind because their departments didn't have enough knowledge or understanding on how to comply. The U.S. had the most difficulty at 53%, with the EU not far behind at 50%.

Jose Hidalgo, a legal expert for sustainable pulp, paper and personal care company Domtar in Europe, said prior to GDPR, a data protection directive was in place. Although not a law, the directive was implemented on a local basis for each individual country. The company's European division was subject to GDPR, while its North American division was subject to GDPR only if offering goods or services to EU residents.

At Domtar, the IT department dedicated time to implement technical and organizational security measures to the company's system, The legal department was also involved, reviewing data protection law.

"In order to make the company compliant, the first thing we had to do was know how we process data," Hidalgo said. "For example, we had to create a record of all the processing activities that involve personal data from entities, customers and users. This was one of the most difficult parts of the project because we created a questionnaire that we sent to all the different business managers in order to identify all of the different processing activities."

The Domtar team behind the GDPR implementation also developed an opt-in service for European customers as well as appointed a data protection officer to monitor compliance. For many years, Hidalgo said, data protection was considered a fundamental right in Europe, stemming from the importance of protecting individuals' personal data. Today, it's critical companies balance protection with professionalism when conducting business.

"Start compliance as soon as possible because it is going to take time," he said. "GDPR has changed our approach to data protection, Now, it's a very important practice. Every time you put a new system in place that is going to process personal data, the first thing you have to do is assess the risk, If you have a high risk, you have to implement new security measures; otherwise, you're not going to do things right."

A credit professional told NACM their company's efforts to fall in line with the regulation is "still a process" as it impacts external communications.

"We're working strictly with a [data protection officer] in order to understand the content [that's] allowed to be shared externally," the credit professional said. "Of course, a lot of the job was done in updating the website, contracts and other marketing material to be compliant with GDPR."

Although the regulation still raises questions within their company, the credit manager said they agree with GDPR's objectives; however, it will take time to see if it has any positive or negative impacts.

NACM's Road to GDPR Compliance

As with any organization utilizing data of European residents, NACM was required to follow the guidelines set by GDPR. A dedicated team of NACM-National employees spent countless hours not only educating themselves on the regulation but also determining the best course of action to ensure the data of all members, at home and abroad, was handled safely, securely and with their knowledge.

Using an opt-in, opt-out system, NACM-National's technical team reconfigured the organization's database, said an employee who worked behind the scenes. Non-members who are European residents are now required to "opt in" if they wish to receive any information from NACM, the Finance, Credit & International Business Association (FCIB), CFDD or NACM-Canada.

"When GDPR came in, we had to rethink our [marketing] methodology because there is the requirement for [European residents] to opt in," an NACM-National employee said. "They have to say yes, they want to receive our messages. We had to redo our whole process on how we were managing those people, especially European residents in our database."

The following is an excerpt from one of FCIB's emails to its non-members prior to GDPR enforcement:

We'd like to verify that you want to continue to receive information from FCIB.

By giving your consent, you will continue to receive FCIB's newsletter, Week in Review, along with announcements about FCIB courses, webinars, summits, surveys and other services relevant to your career in international credit and risk management.

You will still have the opportunity to opt out of future communications at the bottom of every email.

"A challenge is getting the information to the right people," said the NACM-National employee. "A member may live in the U.S., but legally, he or she is a European citizen,"

The implementation process began more than a year ago in December 2017 when FCIB began contacting its non-member purchasers about GDPR and informing them how they could continue receiving the latest organization news. Behind the curtain, a handful of NACM employees held meetings and attended educational sessions with GDPR experts to learn what NACM and FCIB needed to do for itself and its members. One of the most crucial changes came to the organization's websites, where the organization's privacy policy was revamped to explicitly inform any and all members and customers of the data that is collected as well as their "Right to Be Forgotten."

Data that is received or collected to activate membership includes: name; job title; company; shipping and physical addresses; country; telephone number; fax number; email address; payment details and business type.

Under the privacy policy's Right to Be Forgotten/Right to Erasure clause, residents or residents of a European Union country can request their personal data be removed, NACM will follow up with a request to inform the resident/citizen what it entails.

"If you want to be forgotten, you can be, We will do that," said the NACM employee. "But we will tell you, 'Remember, if we do this and you have a credential, for example, that wipes that out and you have to start all over again.'" In addition to any credentials, any prior classes and events attended will be "forgotten," with all data of the member removed from the NACM database.

Members can still manage their current membership at NACM.org orfcibglobal.com under "My Accounts." Under "Preferences," new post-GDPR features give members the ability to opt out of specific categories: benefit of membership messages (eNews, credit essentials, Business Credit magazine); surveys (Credit Managers' Index); the bookstore; certification; education and other membership messages.

The NACM-National employee said implementing GDPR was "definitely beneficial" for the company because it refined procedures to better assist our members.

"We were doing it in broad strokes, and we refined it in more narrow categories so that somebody who didn't want to hear about webinars could still hear about Credit Congress or vice versa," the employee said, "It gives them more options and control over what they do receive from us. That's not only on the European side but also the rest of the world."

Andrew Michaels, editorial associate, can be reached at andrewm@nacm.org.
COPYRIGHT 2019 National Association of Credit Management
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2019 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Michaels, Andrew
Publication:Business Credit
Date:Feb 1, 2019
Words:2156
Previous Article:Fifth Circuit Adopts Flexible Approach to Collateral Valuation in Cramdown Chapter 11 Cases.
Next Article:US Announces Deadline on Chinese Trade Talks.
Topics:

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |