Overview
Action Items
- If your business has customers within the EU, you will need to prepare for compliance with GDPR.
- Review our recommended “Top 10” key steps to prepare for GDPR.
What Is GDPR?
GDPR refers to the General Data Protection Regulation, which will go into effect on May 25, 2018. It is a sweeping regulation governing the processing and protection of data regarding persons in the European Union (EU), which may include citizens, residents, or persons otherwise located in the EU.
GDPR is concerned with personal data, which includes both data that directly identifies an individual, such as a name or email address, and data that can be used indirectly to uniquely identify an individual, such as a birth date, a zip code, GPS location data, or device information.
Why Should My Organization Care About GDPR?
GDPR applies to any organization that controls or processes any EU personal data in connection with its business, regardless of size, quantity of data, or where the organization is located. Therefore, GDPR will apply to you if you:
- Offer goods or services to EU persons, or
- Control or process data of EU persons for monitoring purposes (for example, through behavioral tracking).
The potential penalties for non-compliance are high. In addition to regulatory fines, there may be collateral costs and damages, such as audit costs, increased data processing costs, and negative publicity.
Critical Steps
- If your business has customers within the EU, you will need to prepare for compliance with GDPR.
- As an initial matter, if your contact is merely incidental, or if you have only a few customers or clients based in the EU, you may determine that the best course is to take steps to prevent GDPR from applying to you. To do this, you would need to ensure that:
- You cease any and all business with, and purge any data relating to, existing customers in the EU; and
- You take steps to ensure that your services are not directed to the EU persons in the future (such as by ensuring that your website is English-language only, that all currency is shown in US dollars, and that you do not provide shipping or service options within EU countries).
- If ceasing doing business with the EU is not a practical or desirable option, you will need to take steps to comply with GDPR.
- The good news is that many of the requirements of GDPR are the same as existing regulations in effect in the EU and its member states, so for entities already doing business in the EU, this regulation may not require major change.
- Even if your organization has not been focused on EU law, the core principles of GDPR are built on basic concepts of understanding how personal data is processed and respecting individual rights. Therefore, your current privacy practices will form the basis for compliance with GDPR. This is especially true if you operate in a heavily regulated industry, such as financial institutions.
- The challenge will be ensuring that your existing practices are sufficient to conform to the new (and existing) elements of GDPR, or are enhanced as necessary. To assist with that process, we have created a summary of our “Top 10” key steps that we recommend you take to prepare for GDPR.
Reference
- Top 10 Steps To Prepare For GDPR: gdpr-10stepsprep
We Can Help You
Please contact us if you will be affected by GDPR, and would like assistance in evaluating whether your organization is compliant.