The New European Union General Data Protection Regulation (EUGDPR): What has changed and how to prepare

April 04, 2018

With the recent Facebook data scandal making headlines, the topic of protecting customer data has been thrust back into the spotlight.

In an online world, customers often have little choice but to entrust their personal data to the companies with whom they do business. Yet when their data is misused, either through negligence or shady business practices, serious concerns arise. Who can they trust?

On May 25, 2018, the European Union General Data Protection Regulation (EUGDPR) will bring sweeping changes to data privacy laws and affect all companies, including those in the U.S., that do business with citizens of EU countries. Companies that do not heed this law to protect their customers’ data will do so at their own peril, facing enormous fines for noncompliance.

This report investigates the new regulation and reveal what it is, what has changed in international data protection regulations, how Arpin Group has prepared itself, and what impact this will have on the international moving industry.

What is Data Protection and Why You Should Care?

Before we get into the details of the EUGDPR, it is important to define what is meant when data protection is referred to, and talk about why it is so critical for your company to understand.

What constitutes as personal data?

Personal data is any information related to a person that can be used to identify him or her. These may include but are not limited to:

  • Name
  • Home address
  • Email address
  • Telephone number
  • Date of birth
  • Passport or ID card
  • Social Security number
  • Banking and credit card information
  • Physical characteristics
  • Consumer purchase history
  • Browsing data
  • Passwords

Why protect this data?

At worst, a data breach has the potential to shut down a business. At best, it will lead to a public relations crisis that may result in long-term damage to your company’s reputation and its profitability. Having inadequate privacy policies and procedures may cause harm to your business relationships. Customers may revolt and organize boycotts. Your company may become subject to class-action lawsuits. Bottom line: it is much costlier to deal with a data privacy breach than to prevent one from happening in the first place.

What is data protection management?

Data privacy protection management is the act of establishing policies and systems that govern the collection, use, retention, disclosure and disposal of personal information. All of these policies must be described in plain language in your company’s privacy notice, which should be given to each customer before they do business with your company.

How EUGDPR Came to Be?

The first data protection regulations in the EU took shape back in 1995, during a time when the internet was in its infancy and most people did not have online access. The world of information security has since evolved, and the old privacy regulations were not only out-of-date, but did not have big enough fines for global data giants to take seriously. The new rules needed “teeth.” Furthermore, the 28 member states needed a way to harmonize data privacy laws across Europe to protect their citizens and set new standards for data security.

Therefore, in 2012, the European Commission filed the first proposal to update these regulations. After years of research and negotiations, the European Parliament and the Council of the European Union came to an agreement and adopted the new regulation in 2016 with a two-year grace period for organizations to adapt before it would be enforced. The deadline for compliance is May 25, 2018.

What’s New in the EUGDPR?

In earlier versions of the EU data privacy regulations, the subject of territorial scope – whether the law applies to countries outside the EU – was challenged in a series of high profile court cases. The new EUGDPR firmly establishes that any company in the world that holds or processes the personal data of people who live in the EU are subject to this regulation regardless of location.

Penalties for breach of the EUGDPR are substantial. Organizations can be fined up to four (4) percent of the annual global turnover or €20 million, whichever is greater.

Organizations that bury their privacy terms in fine print or legalese will have to change this practice. The EUGDPR requires that privacy terms be written in simplified language and be distinguishable from other forms. This privacy policy must describe the reason for data collection and its use. It must also allow customers to consent to sensitive data being collected as well as be able to withdraw such consent.

In the event of a data breach, such as a malicious cyberattack or unauthorized disclosure of private information, the company will be required to notify customers within 72 hours.

Organizations must be prepared to provide a copy of the personal data, free of charge, to their customers by request. Customers reserve the right to request their data be deleted and to cease further dissemination of the data.

Overview of Arpin’s Data Privacy Measures

Arpin, which has been operating in the international moving industry for nearly three decades, was an early adopter of data security policies and systems.

There are several programs that Arpin uses to protect its customers’ data, which also ensure its compliance with the new EUGDPR before the May 2018 deadline.

Global Privacy Policy

Arpin Group has one global privacy policy for consumers that applies to the entire Arpin Group family of companies, including Arpin Van Lines, Arpin International Group, Arpin Renewable Energy, and Creative Storage Solutions. One privacy policy makes it clear and convenient for people to make informed choices about managing their personal information. Arpin is dedicated to complying with all applicable state, federal, and international privacy laws, including the EUGDPR.

FIDI-FAIM 3.1 Audit

FIDI, based in Brussels, is a global alliance of professional international moving and relocation companies. The FIDI-FAIM certification program requires that international movers have a periodic independent assessment of their inter-continental moving activities through an independent audit, which is performed every three years. Ernst & Young performs the audits. Part of this assessment involves the review of data handling and privacy procedures.

All of Arpin International Group’s offices in the U.S., U.K., Germany, China, and Singapore hold a FIDI-FAIM certification in good standing.

Privacy Shield

In 2017, Arpin International Group obtained certification approval from the United States Department of Commerce for the EU-U.S. Privacy Shield Framework for meeting U.S. and EU data privacy and protection standards.

The U.S. Department of Commerce and European Commission designed the EU-U.S. Privacy Shield Framework to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the U.S. in support of transatlantic commerce.

Arpin International Group must recertify annually to keep its Privacy Shield status.

Employee training

Annually, Arpin employees worldwide are required to complete global data privacy compliance training courses and pass a test. They also receive mandatory monthly training on a variety of professional development topics including other areas of information security. The Arpin Regulatory Compliance Manager regularly monitors and ensures that employees stay on track with successful completion of these courses.

Cybersecurity penetration testing

Each year, Arpin Group undergoes a random cybersecurity penetration test, administered by an independent firm, to evaluate the company’s defenses against hackers and enhance its data security. The cybersecurity-testing firm spends several days in secret, probing Arpin Group’s digital defenses, deploying the same methods that a criminal might use to discover and exploit the company’s potential vulnerabilities.

Agent and vendor compliance

Arpin International Group has a network of approximately 3,500 agents and vendors around the world and has developed a system for ensuring compliance through its supply chain network.

Arpin formed a regulatory compliance division dedicated to ensuring that all Arpin supply chain partners are properly vetted and monitored to mitigate risk and ensure compliance with all applicable regulatory requirements. All agents must sign an agreement to abide by the EU data protection regulations. Arpin has contracted Dow Jones Risk and Compliance to provide its anti-bribery, anti-corruption, and third party due diligence compliance screening and monitoring program.

Impact on the Industry

The EUGDPR will have the biggest impact on companies with business models centered upon data collection, such as data giants Google, Facebook, and other social media services. These companies face the biggest challenges in complying with this new regulation because they also carry the most risk of data exposure. We expect that this regulation will change their worldwide data protection policies.

The moving industry, by comparison to the data giants, carries less risk; but the dangers of non-compliance are no less serious. Those moving companies that are certified under the Privacy Shield and hold certifications from international alliances such as FIDI are well ahead of the game. We expect that FIDI will update its audit and certification programs to ensure its members are compliant with EUGDPR.

One of the biggest threats to moving companies may be found in their supply chain, among its network of smaller agents and vendors. Therefore, prime moving companies must set up firm compliance agreements with their supply chain network that dictate how data must be handled as well as install the appropriate safeguards.

The EUGDPR will ultimately be beneficial for the moving industry because it will give companies a standard framework for addressing data security and, in the end, make all of us better stewards of our customers’ private information.

Disclaimer: This is for informational purposes only and not to be taken as legal advice. Please consult the official EUGDPR website and an attorney with knowledge of the EUGDPR for advice on your situation.