As a U.S.-based company, you may be asking yourself, “Does my company need to prepare for the EU’s General Data Protection Regulation (GDPR)?” Simply put, if you process personal data for anyone in the European Union, the answer is very likely yes.
The question that should immediately follow is, “Does my company have data that is relevant to this regulation?” Article 4 in the GDPR states that personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Does your data fall under this definition? If so, you know that the GDPR does, indeed, apply to your organization.
Your next step is to immediately take action.
The General Data Protection Regulation (GDPR) goes into effect on May 25th, 2018—and the fines for noncompliance are staggering. The maximum fine of €20,000,000 (roughly $2.3 million U.S. dollars at the time this article was published) or 4 percent of a company’s worldwide revenue (not profit), whichever is greater—and is reason enough to take the regulation seriously.
The GDPR is comprised of 99 articles and plenty of complexities. Cut through the noise and ensure your organization is prepared with this free guide.
While steps to prepare for these regulations are too lengthy and organization-specific to be fully addressed in any web article, following the steps below will get you started on the right foot with GDPR compliance.
1. Build your team.
To become compliant with the GDPR, you’ll need a strong cross-organizational team. It may include your legal team, your privacy team (if you have one), your information security officers, and potentially an outside expert with special knowledge of the regulation.
You may also need to appoint a Data Protection Officer. Not all companies need one, but depending on the scale and nature of the data you’re processing, you might. Read articles 37-39 to determine if you need this role to be considered GDPR-compliant.
2. Map your data.
Identifying how your personally identifiable information (PII) is collected, where it resides, and how it flows through your network is critical for GDPR compliance. In order to understand this, you may want to create a “data map.” (Note that data mapping isn’t required under the GDPR—you just need a “record of processing activities”—but it could be valuable to your company.)
3. Examine your third-party vendor contracts.
As the GDPR compliance deadline draws near, one area you should prioritize is the evaluation of your current vendor contracts. Under the GDPR, organizations are, for all intents and purposes, responsible for what their vendors do with customer data. This means you’ll want to revisit current vendor contracts to ensure the right contractual obligations are in place for data protection.
4. Determine whether you have processes in place for the rights afforded to E.U. citizens by the GDPR.
Under the GDPR, E.U. citizens are given a number of rights (all outlined in articles 12-23), including the right to be forgotten, the right to erasure, the right to data portability, and more. These rights may not have been a concern for your company previously if you don’t process data for many customers in the EU, but compliance is necessary in order to meet the GDPR requirements.
You don’t have to reinvent the wheel for General Data Protection Regulation (GDPR) compliance.
You may already be operating your business in a way that meets some of the above requirements, so you may not to have to completely overhaul the systems you have in place.
If you want a deeper dive into the GDPR articles (and their many complexities), this free guide is right up your alley. It offers a compliance checklist, proactive ways to prepare for the deadline, insight from GDPR experts, and more.