After nearly two years of discussion and prep time, the day is finally here for GDPR to go into effect.  If you are somehow unfamiliar with the term, the General Data Protection Regulation (GDPR) is the force behind the longstanding governmental guidance about how EU member states handle personally identifiable information.

In case you’ve been living happily on a beach in the South Pacific for the past year, enjoy life off the grid while downing drinks with your toes in the sea, here is the download of what the GDPR is and what needs to be in place as of May 25, 2018 (and if you have been off the grid for a bit, uhm, surprise…today is May 25th, so you need to get cracking!).

What is GDPR?

Let’s tackle this one first….what exactly is GDPR?  Glad you asked!  Well, according to the all-knowing Oracle that is Wikipedia, GDPR is:

“The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1]

Superseding the Data Protection Directive, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with data protection by design and by default, meaning that personal data must be stored using pseudonymization or full anonymization, and use the highest-possible privacy settings by default, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. No personal data may be processed unless it is done on a lawful basis specified by the regulation, or if the data controller or processor has received explicit, opt-in consent from the data’s owner.”

How Does GDPR Impact US Based Companies?

Good question!  While this is an EU regulation, data tends to travel across lines in today’s online global economy, so the basis of the GDPR is to provide protection to EU citizens no matter where their data travels. This means that any company, anywhere, that has a database that includes EU citizens is bound by its rules.

In order to comply, American companies have two options: they can either block their EU users altogether or establish processes to support the regulation and ensure compliance.  Compliance includes handling user data in a very specific manner, ensuring it is 100 protected and encrypted.  Companies must also provide multiple avenues via which consumers/users can also manage their data, including monitoring it, updating it or deleting completely if they so desire.

When it comes to US companies, the truth is that no one really knows how GDPR will be enforced on American…..however, as of this morning, it appears we have a glimpse into what we can expect as the first cases of regulatory impacts have been levied against Facebook and Google.

Steps for GDPR Preparation

If you haven’t’ started preparing, you should probably get cracking!  Short of blocking your EU user base, here are a few steps for you to consider and get moving on ASAP in order to become compliant with GDPR as quickly as possible:

  • Hire a Data Protection Officer (DPO) or Consultant –  The GDPR assigns liability to the data processors and controllers, so this isn’t something you want to mess around with.  If possible, hire someone to be your point person and manage the process for the long-game; however, if your structure doesn’t allow for this position, then consider hiring a consultant who can come in and get your systems up to the regulatory standards.  One of their first steps will, no doubt, be to complete a thorough audit of your current data security system and identify high-risk areas and create a plan for resolution.
  • Educate your staff. Although the bulk of the responsibility falls on your security staff, anyone who handles information needs to be educated about GDPR. This includes staff that interacts with new customers or users, those that maintain CRM systems, and even data entry personnel.
  • Update your tools and features in order to ensure privacy. Every day there are more and more companies popping up with pseudonymization solutions and other ways to keep compliant. Do your research and stay on top of your features, structures, and processes, ensuring that they remaining compliant going forward.
  • Reach out and work with third-party providers who are GDPR-compliant. This includes your email service provider or ISP, your CRM services, your outside vendors, and your marketing and PR agency or departments. It’s important to ensure that all aspects of your data processing are in compliance.