Most in the IT world have heard about the EU’s GDPR (General Data Protection Regulation) and know that it comes into effect this year, but many U.S. companies have yet to make the necessary changes to be compliant. A study by TrustArc says 61% of U.S. companies surveyed had not yet begun implementation of GDPR compliance at the end of last year. The majority of those who are unprepared are smaller companies. What you may not know is that if your company has a website, the GDPR will likely affect you. Here’s a quick overview to get your company going in the right direction.
Who Must Comply with GDPR?
Anyone who collects and stores personal data on EU citizens must technically comply with GDPR. This means if your company has a website that collects user data, you will most likely have to comply with this regulation. The GDPR’s definition of personal data includes names, location data and online identifiers. For more GDPR definitions, click here.
How to Comply with the GDPR
We attended the Data Center World Conference last week in San Antonio, and Kenneth Sanford from Dataiku simplified most of the key points of the regulation as best as one can simplify it:
1. If the user requests it, you must show them their data.
If a user requests to know what data your organization has collected on them, you must provide them with the data you have.
2. Inform the user of how you will use it.
You must inform users of how you will use their data and obtain their consent. If at a later date a user wants to know how their data has been processed, you must provide this information.
3. If the user requests it, you must delete them.
If a user requests that you delete their information, you must comply. In GDPR this is referred to as erasure and respects the user’s right to be forgotten.
4. Have someone who manages this process.
To ensure that these requirements are met, your organization should appoint a Chief Data Officer. Sanford recommends appointing someone who has a background in statistics or analytics, as these professionals are aware of the advantages and opportunities that come from data processing as well as the risks. However, this person should also have expert knowledge in data protection law.
5. Report data breaches promptly.
GDPR requires that data breaches be reported to a supervisory authority within 72 hours of the breach. In the U.S., this authority would be the FTC.
Documentation Is Key
In order to provide users with information about how their data is being used, should they request it, it is essential for employees to document exactly what data they are collecting and processing and for what purpose. This can become complicated, as you can imagine. Employees who manage data will need time to become accustomed to a documentation process and practice transparency in data processing. Companies must be able to provide specific and legitimate reasons for storing and processing data on EU citizens. Data organization and centralization will become essential to make this process as efficient as possible. Those responsible for data protection should know where personally identifiable information is stored at all times.
What Is the Penalty for Non-Compliance?
The maximum fine for not complying with the GDPR is 4% of global revenue or €20 million, whichever is larger.
Additional Information
The GDPR goes into effect on May 25 of this year. This blog post is just a simplified overview of what the GDPR entails. For more detailed information, Intersoft Consulting provides an accessible version of the complete GDPR broken down by definitions, user rights, important articles and chapters.
Disclaimer: This blog post does not constitute legal advice and only provides highlights of the GDPR.
