What is the GDPR and how should you prepare?

What is the GDPR?

The General Data Protection Regulation, or GDPR, is a solution to unify all EU member states’ approaches to data regulation. In short, the regulation attempts to apply identical data protection laws in every country in the EU (and the UK) and to define data standards for businesses. The GDPR effectively replaces the UK Data Protection Act of 1998 and the EU’s Data Protection Directive of 1995.

The new regulation will take effect May 25, 2018.

Before we move forward, keep in mind that the GDPR won’t have an impact for most. Its focus is on protecting citizens’ data privacy rights, so here’s what we can all do to help.

Who does the GDPR impact?

The GDPR will impact any organization that uses EU citizens’ data, even if the business is not located in the EU. “Organization” applies to any organization type, from businesses to non-profits to government. It also applies to any third party, such as an IT firm that handles data processing for your organization.

And even though the UK is due to leave the EU in the next 12 months, residents of the UK are protected under the regulation as well.

What’s the risk?

Businesses that do not comply with the GDPR could be fined up to €20 million, or 4% of the company’s global annual turnover, whichever is greater. While the GDPR is meant to save the toughest fines for the worst data breaches and data abuse, it’s important for businesses of all sizes and types to adhere to the regulation to avoid these penalties. 

What do you need to do to prepare and to be in compliance?

Anyone who controls and processes data must ensure personal data is processed lawfully, transparently, and for a specific purpose. The regulation also states that once the data is no longer required, it should be deleted.

To meet those requirements, here are the steps you should take to prepare:

1. Make sure organizational leadership is aware of the GDPR and how it impacts the organization.
2. Take stock of all the data you currently gather and store.
3. Document what personal data you hold, where it came from, and with whom you share it.
4. Review any and all current privacy notices and put a plan in place to revise these as needed in time for GDPR’s implementation.
5. Make sure you’re covered in all of your procedures and processes. This includes knowing how you would delete personal data, move data, or provide data electronically when asked to. Pro tip: if you have an email list or email newsletter, make sure it’s really easy for people to opt out or unsubscribe.
6. Update your procedures to handle requests within the new timeliness requirements.
7. Identify why you are processing personal data and document these reasons within your privacy policy to explain this.
8. Do you gather any data from minors? If so, start thinking about whether your users need to verify their age or obtain guardian consent. This applies to kids under the age of 16 for online services, and may even apply to kids as young as 13.
9. Put a plan in place in the case of a data breach: make sure you know how you would detect a breach, report it, and investigate it.
10. If your organization is large enough and you gather enough personal data, consider hiring a data protection officer. Protecting user data and privacy rights is becoming more and more important, so it may be time to consider this a core of your business strategy before it’s too late. If you are a public authority, engage in large-scale systematic monitoring, or if you gather large-scale sensitive personal data, the GDPR requires you to appoint a data protection officer.
11. Consider attending a webinar or getting a professional consultation. Organizations such as IBM are offering data protection consultations for businesses, which might be the best step to take if you know your organization needs help being in compliance.

What’s next?

If the regulations seem like they apply to you and you need help getting ready, we recommend getting in contact with one of the authorities on the GDPR.

Read the resources from the EU GDPR website: https://www.eugdpr.org/

Get GDPR Preparedness Services from verified IT consultants:

• http://www.ftitechnology.com/solutions/general-data-protection-regulation-gdpr-preparedness-services
• https://results.pcg-usa.com/gdpr-compliance/
• https://www.rsisecurity.com/marketing/gdpr/

Here to help

If you’d like advice on where to turn to prepare for the GDPR, give us a call. We consider ourselves an extension of your team, so don’t hesitate to reach out if you need us.