As of May 25, 2018, U.S.-based businesses that have operationsin the European Union (EU) or that employ citizens of EU nationswill have new requirements to meet regarding data protection. This is when the new GeneralData Protection Regulation (GDPR) takes effect.

Any companies not prepared to meet the new regulations thatexperience a data breach could face massive fines. Agents sellinggroup plans, benefit or retirement packages to companies with EUemployees that will subsequently store personal information on those employees couldalso be affected.

Related: 3 ways HR and benefits managers can mitigatecybersecurity risks

GDPR was designed to better protect EU citizen data and ensurecompanies storing that data should possess it. Standards vary basedon where the data originates from, but generally any informationlike name, address, credit card number, etc., is covered. In thedomestic U.S., protected data is defined as Personally IdentifyingInformation (PII). And, as defined by GDPR, for an EU citizen it isknown as Personal Data. Failure to protect the PII or Personal Datato the right standard could bring a hefty bill, or upon consistentfailure, even an order to cease business in EU countries.

Current U.S.-based data privacy regulations require companies tonotify customers if a data breach occurs, but in the U.S., therecan be a significant time delay between the breach andthe notification letter; not so with GDPR. GDPR requires theSupervisory Authorities be notified within 72 hours, even while abreach is still being investigated. Failure to report within72 hours could lead to significant fines. Maximum fines could be upto $26M or 4 percent of global gross revenue, whichever isgreater.

Insurance companies selling plans to U.S.-based businesses withEU citizen employees or operations in EU nations could be affectedbecause they gather Personal Data from EU subjects.

For example, a U.S. technology company has an office in SanFrancisco and another office in London. Some EU citizens work inboth locations for that company and they are all offered thecompany group insurance coverage and benefits package. The companycollects information on its employees such as name, birth date,social security number, and other data points required to for thoseindividuals to apply for insurance coverage and passes it along tothe firm. Under GDPR, if the company or the insurance agency doesnot properly encrypt this information and a hacker is able to stealan EU citizen’s Personal Data, a violation of the regulations hasoccurred.

The first step toward compliance for any company is determiningthe need for and if necessary, assigning a Data Protection Officer(DPO). A company will be required to have a DPO if it possesseslarge amounts of data covered by GDPR. The DPO must be availableand involved in any events where there is a possibility of a lossof GDPR covered data. The DPO will be the point person for any GDPRissue with the affected persons and the Supervisory Authority.

Obviously, because the DPO will be instrumental in proving acompany’s compliance with GDPR this individual needs to know theregulations and the company’s security protocols inside and out,backward and forward. If a company is not required to have a DPO,it should still have a plan in place for who it will call if theSupervisory Authority opens an investigation.

Additionally, any Personal Data that is lawfully received,stored or processed by a company needs to be encrypted. This meanscompletely encrypted at rest and in transit, complete end to endencryption. GDPR does not allow for leniency regarding outdatedsoftware or new implementations that are being investigated fordeployment.

Companies will also now be required to complete Data ProtectionAssessments and Privacy Impact Assessments. They will be expectedto increase visibility into what level of impact a breach mighthave for customers and the company, if one occurs. And, all effortsmade to comply with GDPR need to be documented so they can be givento a Supervisory Authority upon request.

The best source of information on the regulation requirements isgdpr-info.eu.

Once GDPR takes effect, if a company experiences a breach or iscontacted by a GDPR Supervisory Authority the best course of actionis to show an attitude of compliance by offering complete supportfor the investigation. Then, contact the legal team. It isimportant to remember that complying with GDPR can be complex. Ittakes some time to update systems and processes to the level ofsecurity required by the new regulations. It can also be costly,and disruptive, but the protection of data is becoming paramount inthe new business paradigm. For GDPR the cost of compliance isgeared to be less than the cost of sanctions.