
Starting a New Company? Doing Business in the EU? Don’t Forget the GDPR! The May 25th Deadline Is Right Around The Corner!
The General Data Protection Regulation goes into effect May 25, 2018. It’s a privacy law the European Union is enforcing to protect the personal data you collect from the individuals you do business with. Even if your company isn’t in the EU, if you do business there you must comply.
What Data Does The GDPR Cover?
The GDPR applies to personal data you collect from the individuals you do business with. This means from the time you collect it and as long as you keep it. This includes data like names, email addresses, physical addresses, and even IP addresses – anything you collect and add to your database including information from surveys, questionnaires or quizzes. If you segment information in your CRM database, it includes this too.
The GDPR Protects:
- Information such as names, addresses, and ID numbers
- Web data such as locations, IP addresses, cookie data and RFID tags
- Health and genetic data
- Sexual orientation
- Biometric data
- Racial or ethnic data
- Political views
- Located in the EU.
- Located anywhere in the world that collects the personal information of EU citizens located in the EU.
- Businesses of any size.
- Process data lawfully, fairly, and in a transparent manner. In other words, you must be open about what data you’re collecting and what it’s for.
- Data must only be collected for explicit, legitimate and specified purposes. You must be able to explain why you’re collecting it and how you plan on using it.
- Data collection should be limited for legitimate purposes. In other words, if you don’t need someone’s address for the specific reason you’re collecting personal information, you shouldn’t collect it. And, once you collect the data it can only be used for its intended purpose.
- You must keep the data up to date and ensure it’s always correct. This is especially for businesses like Facebook and Google and others like them.
- You shouldn’t keep this data longer than necessary. If you’ve completed the project or sale, and don’t need the data for marketing purposes, you must erase it all.
- Data must be kept secure with appropriate data protection solutions and kept behind a secure wall and encrypted. You should already be using SSL certificates and adhering to other security policies. (Ask your Technology Solutions Provider to help you with this.)
- Perform a thorough inventory of your personally identifiable information, where it’s stored–in onsite storage or in the Cloud. And determine in which geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
- Perform a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your Technology Solution Provider (TSP) can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
- Develop an Action Plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
- Ensure data privacy. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for organizations of any size. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.” This is a concept that has was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
- Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your Technology Solutions Provider makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.