Ensuring General Data Protection Regulation Compliance for US-Based International Retail Firms

Introduction

Since my large US online retail organization does business internationally, it should abide by various regulations that are effective in different countries. The new General Data Protection Regulation (GDPR) is one of them, and this guideline draws much attention to privacy and security and is effective in the European Union. In addition to the representatives of the EU member states, any organization that collects or targets data of EU citizens should abide by this document.

According to Hoofnagle et al. (2019), this guideline was designed to place personal data into a highly protective and regulatory environment. Thus, the GDPR governs the performance and accountability of any business that processes the personal data of European citizens or provides such people with goods or services (Burgess, 2020). This document provides EU citizens with specific rights, offers comprehensive definitions, is implemented by data protection authorities, and should be met to avoid significant financial losses.

Rights of EU Citizens Regarding Personal Data Under GDPR

To begin with, one should explain that the GDPR is important for all EU citizens. This regulation provides these individuals with eight specific rights regarding their data (Reciprocity, 2020). Every EU citizen is entitled to be informed about how a business collects and uses their personal data and what this organization is going to do with the data (Hoofnagle et al., 2019). The right of access stipulates that an EU citizen can discover what specific information organizations collect. The right to rectification allows individuals to complete or correct the already provided data (Burgess, 2020).

Furthermore, individuals may demand to delete their personal data permanently, restrict their processing under particular circumstances, or object to the processing of their data. The right to data portability implies that individuals may receive and reuse their personal data if they wish to do so (Hoofnagle et al., 2019). Finally, EU citizens have the right to avoid being subject to automated decision-making if they do not want to be assessed by algorithms.

Understanding Personal Data and Data Processing in the Context of GDPR

The GDPR relies on specific terminology and definitions to bring clarity and avoid vagueness and misunderstanding. Two terms have been frequently used above, and they require specific attention. On the one hand, personal data “means any information relating to an identified or identifiable natural person” (General Data Protection Regulation [GDPR], 2018, para. 1). This description refers to any individual who can be identified by a name, information of location, identification number, or different types of identity.

On the other hand, data processing “means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means” (General Data Protection Regulation [GDPR], 2018, para. 2). Examples of data processing refers to collection, retrieval, restrictions, recording, structuring, storage, and other processes (General Data Protection Regulation [GDPR], 2018). Thus, every stakeholder should know these definitions to understand what processes the GDPR governs.

Role and Responsibilities of Data Protection Authorities (DPAs)

In addition to that, the GDPR creates data protection authorities (DPAs) that perform crucial roles in the implementation of this guideline. Firstly, the DPAs deal with supervision because they monitor how and whether the GDPR is implemented in appropriate jurisdictions. Secondly, enforcement plays a significant role because the DPAs can take some actions against businesses that violate the regulation. According to Daigle and Khan (2020), the DPAs are typically aggressive against non-compliant organizations, which can result in massive fines.

Thirdly, individuals can reach the DPAs and file complaints regarding their personal data, and the latter are expected to analyze these complaints, investigate cases, and assess organizations’ performance regarding privacy and security activities (Daigle & Khan, 2020). Finally, DPAs should cooperate with one another to ensure that they create an effective network protecting personal data in the EU. This discussion demonstrates that the DPAs play important roles in implementing the GDPR.

Impact of GDPR on Business and Security Operations: Recommendations for Compliance

There is no doubt that the GDPR will significantly change business and security operations in my organization. The regulation will make the entity draw more attention to data and its value. Even though this approach can be initially difficult, GDPR compliance will result in various benefits. If all the requirements are followed, it will be possible to avoid massive fines of €10-€20 million (Burgess, 2020). Furthermore, GDPR compliance can create a positive image, which will make customers and partners more willing to participate with my company. However, specific modifications are better seen in a recommended checklist for GDPR compliance, which will be discussed below.

The required steps are as follows:

1. Appoint a Data Protection Officer (DPO). This employee is a new concept for US businesses, and a DPO is responsible for monitoring and ensuring that the organization follows the GDPR requirements (Hoofnagle et al., 2019).
2. Conduct data audit. This step is significant because it allows the company to receive a comprehensive analysis of data that it collects, holds, processes, and shares.
3. Establish a specific system for handling personal data. This task is comprehensive and involves a few smaller activities. For example, it is necessary to implement procedures to obtain consent from individuals for processing their data and provide these data subjects with access to their data upon request. That is why it is required to rely on appropriate technical and organizational measures.
4. Introduce Data Protection Impact Assessments (DPIAs) in those cases where data processing can imply high risks for individuals. This step includes conducting a standard questionnaire to identify the nature of data or can make a DPO engage in various workflows or monitor different activities to mitigate the risk (Hoofnagle et al., 2019).
5. Develop a plan to handle breaches. The organization should understand that data breaches are still possible. This fact means that the business should develop an appropriate procedure to report this issue to the authorities and affected individuals within 72 hours (Hoofnagle et al., 2019).
6. Organize regular training sessions. It is important for the organization to ensure that all its employees understand the importance of GDPR compliance and know how to protect data properly.

One should explain that the list above is not exhaustive, and many other steps can be needed to address the issue of data protection. However, these recommendations are a minimum set of changes that can promote GDPR compliance.

Conclusion

In conclusion, the GDPR is an effective regulation, and my organization should follow its guidelines to perform business internationally. I am sure that from a financial perspective, it is better to comply with the regulation. Even though the recommended steps denote that the organization will have to spend high sums of money, these expenses are justified. It is not necessary to calculate the exact amount of costs to follow the GDPR because the smallest fine for non-compliance is €10. Thus, a lack of compliance is likely to result in higher losses. That is why the organization should do its best to abide by the GDPR regulations.

References

Burgess, M. (2020). What is GDPR? The summary guide to GDPR compliance in the UK. Wired. Web.

Daigle, B., & Khan, M. (2020). The EU General Data Protection Regulation: An analysis of enforcement trends by EU data protection authorities. Journal of International Economic Law, 1, 1-38.

General Data Protection Regulation. (2018). Article 4. Web.

Hoofnagle, C. J., Van Der Sloot, B., & Borgesius, F. Z. (2019). The European Union General Data Protection Regulation: What it is and what it means. Information & Communications Technology Law, 28(1), 65-98. Web.

Reciprocity. (2020). What are the 8 GDPR rights of individuals? Web.