The European Union’s (EU) upcoming General Data Protection Regulation (GDPR) came into force on May 25, 2018, and requires U.S. businesses to protect EU citizens’ personal data. Even if you don’t think you’re at risk, seemingly innocent data such as online addresses from EU users could expose you to severe fines.
The GDPR expands the definition of personal data and the rights of data subjects, making it difficult to determine your requirements. Here are some first steps to prepare for the rule:
- Conduct a data audit across your entire organization. Determine what information is collected across all of your organization’s departments and operations.
- Determine how the data is processed, stored and retained. Identify which of the GDPR’s six lawful bases your business uses to collect data, where data is stored, the record-keeping process for data use and your business’s policy on data retention.
- Examine your vendors’ and partners’ data management practices. Make sure that business partners such as cloud service providers, payment processors and marketing firms are ready to comply with the GDPR. Even if your own data protection measures are in place, you can still be held partially liable for a vendor’s failure to comply.
- Create a plan that accounts for the GDPR’s requirements on consent, data subjects’ rights and breach notification. Meet with management, IT, legal teams and other stakeholders to create a GDPR compliance plan that’s unique to your business. Keep in mind that your plan should address how your business will collect and record data users’ consent to process information, comply with requests to delete or transfer data, and report data breaches to supervisory authorities.