On May 25 the European Union (EU) enforced the General Data Protection Regulation (GDPR) law. Even though this is a European law, U.S. businesses, even businesses who do not conduct business overseas, will be impacted. Read on to learn how you can protect yourself and your business from regulation breaches and vulnerabilities.
What is GDPR?
GDPR is the new data protection law enacted by the EU. It’s unique from other privacy laws in that it is giving users more control over their digital footprint and how it is used by companies and digital marketers online.
Does GDPR apply to you?
If you fall under one of these three categories, you will need to comply:
- If you have a physical presence in the EU
- If you don’t have a physical presence but you offer products or services to EU residents
- If you don’t offer products or services but you monitor EU residents’ online behavior
If any of these apply to you then you will have obligations under GDPR as a controller of data. If you do not fall into any of these categories but one or more of your customers do, you will have to comply because you will be considered a processor of data under GDPR requirements.
In order to determine what exposure and obligations you have:
- Understand your data by identifying and justifying the purposes you are collecting it for, how long you are keeping it, where it resides and how sensitive it is.
- Review your privacy notice and ensure it includes the information required by GDPR, ensuring that you receive and document consent where needed.
- Review your processes to respond to individual requests. Ensure you are equipped to respond to requests to access, modify, delete, take away or stop processing data within 30 days.
- Review third-party contracts. Ensure your contracts with the organizations with which you exchange data incorporate GDPR principles into their language.
- Adopt a data protection by design culture. Conduct reviews of data protection requirements up front when developing a new product or service. Perform data protection impact assessments. Create awareness in your organization of data protection principles.
- Develop a protocol for incident response.
- Identify your lead data protection authority. Ensure this person is familiar with GDPR best practices.
Although it’s unknown how aggressive the regulations will be carried out, ensuring the data you collect is in compliance with GDPR standards should be top priority. Need help assessing your organization’s risk? Start here.