GDPR hits on May 25th - an expert explains what you need to do if you're not ready

Thomson Reuters

Starting May 25, there's no walking away from Europe's data protection laws.

• The European Union's extensive data protection regulations, known as GDPR, go into effect May 25.
• The regulations impact any business that uses the personal data of EU citizens - whether or not they're based here.
• While many companies take 18 to 24 months months to get GDPR compliant, there's still some hope for the slackers.
• Box's VP of compliance Crispen Maung tells us that it's better to have an outline of a plan for GDPR than no plan at all.

When General Data Protection Regulation (GDPR) goes into effect in the European Union on May 25, it's not just those companies across the proverbial pond who will be impacted.

Any American companies that work with customers in the EU will need to make sure their data storage practices are compliant with GDPR - and they'll need to be able to prove to the authorities that they're playing by the rules.

Complimentary Tech Event

Transform talent with learning that works

Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

Crispen Maung, vice president of compliance at the $3.2 billion cloud storage company Box, said his company has been preparing for the regulation for the last two years, and that most companies will take a full 18 to 24 months to be fully compliant.

But if the May deadline has taken your team by surprise, there are still steps your company can take to lessen the pressure if and when European regulators come a-knocking.

Companies are responsible for who they share data with

First and foremost, Maung said, it's important for companies to understand for what, exactly, they will be held accountable .

This GDPR checklist, compiled by developers in Belgium, is a good place to start. You can also read this helpful guide by Business Insider's Rob Price to understand what GDPR even means.

When it comes to compliance, the GDPR regulations place the burden of proof on a so-called controller. In this usage, the controller is the company that hosts the original data. A processor is a company that takes the data and puts it to use.

For example, if a real estate company stores its customers' contract information in Box, it is up to that real estate company to prove that Box stores that information appropriately in line with GDPR rules.

In many cases, including with Box, companies are both controllers and processors depending on the usage. If a company uses Box to transfer payroll information to a third-party application, it is acting as a controller. But when a company uses Box to store its files, it is acting as processor.

Companies like Box, which rely on enterprise customers, have added tools to help their customers make sure they are GDPR compliant. Box Zones, for example, is a feature that lets companies decide in which regions to host their data. This helps them comply with the regulation that prevents certain data from leaving the European Economic Area (EEA).

Increasingly, countries like Russia, China, and the EU, are requiring that tech companies store data inside the countries they serve, and not in foreign locations that may be beyond their jurisdiction.

Really, the burden is on Box's customers to actually manage those settings and ensure that their data is stored on Box in a way that complies with the regulations, Maung said. But that doesn't mean processors are totally off the hook.

"In the controller/processor relationship, any processor has an obligation to be as transparent as they can," he said, which means providing customers with information about how and where their data is stored.

Ultimately, though, it's up to the controller to ask the processor they work with for that information. If they don't, it could mean trouble with EU authorities.

Here's what to do if you haven't done anything to prep for GDPR

While most companies will take 18 to 24 months to be fully compliant with GDPR, Maung said that many companies in the US simply aren't prepared for the fast-approaching deadline.

If you're one of the companies that isn't there yet, Maung suggested you get started right away.

"I think the best way forward for those guys is to make sure they have a project plan of how they intend to be compliant," Maung said. "It's a little like shutting the gate after the horse has bolted, but at least it's something."

While Maung said he believes most enterprise tech companies can meet GDPR regulations, the question their enterprise customers must ask themselves is "how are they independently validating" that this is the case?

The first step is to do due diligence and figure out which specific laws and regulations will impact your business. The laws apply to all companies processing the personal data of people residing in the EU, regardless of the company's location. So if you work with anyone in the EU, figure out your specific liabilities, he suggests.

The second step is to outline what information your company keeps, and where it is being stored. This can be anything from employee payroll data to customer e-commerce history. Even if your company isn't compliant, Maung said it will go a long way with regulators if you can at least prove that you know where your data lives.

The third step is to consult all processors to figure out how they process data, how it is delivered, and how it is used. If a company sends a European customer's order history to a market research firm, for example, it needs to be able to prove to regulators how that data is being used by the research firm.

If your company works with a processor like Box, that processor should be able to provide information to help you prove that your data meets the regulations - and if they don't, find a processor that does. But as Maung said, the burden is ultimately on the controller to make sure it is following the laws and to make sure that the companies it works with are compliant as well.

US data laws are lax - but that may not always be the case

While data protections in the US are far less comprehensive than GDPR, the recent Cambridge Analytica scandal has put Facebook under the spotlight and reopened the conversation around privacy regulations.

AP

Zuckerberg may have been grilled by Congress, but US data protection laws remain lax.

It's unclear what regulations, if any, will pass in the US. But Maung said you don't have to look too far to figure out what US data protections could look like.

"We work with a lot of US government agencies where the bar for data protection and privacy is high. But it's not across the entire US," Maung said. "So from our perspective, if the US came out with something similar to GDPR, it would be based on the FedRAMP standard."

FedRAMP - the Federal Risk and Authorization Management Program - is a standard that applies to cloud products and services used by the US government. It decides which companies meet standards on security, authorization and continuous monitoring, and is applied ubiquitously to government agencies to ensure that federal data isn't easy to hack or exploit.

Currently, FedRAMP certifies select businesses that are compliant with its standards, and then government IT departments choose products that are pre-authorized for use.