A Compliance Checklist for your businessUNDERSTANDING GDPR

Is your organization ready for GDPR? The new EU privacy law takes effect in less than 10 days so let’s review how to prepare your business to be fully compliant. If you’re already familiar with GDPR, check out our GDPR Compliance Checklist to assess your organization’s readiness for the deadline on May 25, 2018.

GDPR compliance security

What is the General Data Protection Regulation (GDPR) ?

The European Union (EU) enacted GDPR to better protect the privacy of EU citizens by regulating how personal data can be collected, stored, and used by organizations. Many businesses around the world will be impacted by the new privacy protections because any company that collects data from EU citizens will need to comply with the new rules by May 25. The official EU regulation can be reviewed here.

What organizations will be affected by GDPR?

Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:

  • A presence in an EU country.
  • No presence in the EU, but it processes personal data of European residents.
  • More than 250 employees
  • Fewer than 250 employees but its data-processing could impact the rights of data subjects, or includes certain types of sensitive personal data. That effectively means almost all companies. A PwC surveyshowed that 92 percent of U.S. companies consider GDPR a top data protection priority.

Personal Data-Processing that can put your organization at risk

If your organization conducts business online, many of the data tracking/collection methods can put you at risk. Examples include:

  • Google Analytics
  • Adobe Analytics
  • Google Adwords
  • Newsletter Mailing Lists
  • 3rd party website tracking tools

GDPR Compliance Checklist

To assist you with GDPR compliance, we have published a GDPR Compliance Checklist. This checklist will help determine if your website will require updates to comply with the General Data Protection Regulation. Once reviewed, you can determine the next steps on developing the business processes and documentation to make sure your organization is fully compliant with the new regulation.

How does your organization ensure compliance?

Overall, your organization needs to develop processes to complete any data requests from your users regarding their personal data. GDPR states that you must deliver a complete response for a request for personal data information within 30 days. A complete response includes:

  • What personal data is being recorded about the user
  • The data storage location
  • Why your organization recorded and used their personal data
  • The data retention period

If you collect and process a large amount of personal data, your organization may need to hire a Data Privacy Officer to ensure personal data is storage securely and fully compliant. Developing business processes and documentation to deal with a data security breach can also better prepare your organization for a worst case scenario of a hack. Under GDPR, you will have less than 72 hours to announce a breach or you can face fines equal to 4% of your annual global revenue or €20 million.

At the minimum, you must have a Privacy Policy in place and update it to comply with GDPR if you process any personal data. You must also update all internal procedure documentation and have a well-defined policy on the data retention periods for all personal data stored at your company.

Disclaimer: The goal of this article is to educate you on GDPR and help you build processes to ensure compliance; however, the final confirmation of GDPR compliance should come from your legal counsel. Your legal counsel should stand behind all legal decisions that are made as any violations could incur fines from the EU.