GDPR is upon us. Here is a last-minute checklist to help businesses make sure they’re ready, from data classification to user interface changes, along with expert advice to avoid common pitfalls along the way.
First and foremost, don’t ignore GDPR. It’s easy to assume that if your company is based outside of the European Union (EU), GDPR won’t apply to you.
“We advise that US-based businesses still need to comply with (let alone care about) GDPR, for a few reasons,” Anne P. Mitchell, attorney, GDPR compliance consultant and author of Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) told AListDaily.
She warned that assuming GDPR won’t apply to your business can have dire—and expensive—consequences if that turns out not to be the case.
“You really have no way of knowing whether someone with whom you are interacting online is actually in the EU or not,” said Mitchell. “IP address geolocation is not only unreliable, but it is also prohibited by GDPR.”
Mitchell explained that GDPR prohibits companies from using automated means to determine information about a data subject, including location. In other words, companies cannot simply exclude a user from accessing a web page because they are located in the EU.
“Second,” she continued, “GDPR applies to ‘people in the union,’ not ‘residents’ or ‘citizens.’ If I, a US citizen, do business with your US-based e-commerce site with my US-based email account—but I happen to be mid-flight over Germany at the time—I am, at that moment, technically, in the union.”
Some Assembly (And Help) Required
GDPR compliance will take a global, group effort. Here are some steps businesses should take to make sure everyone is ready by May 25.
- Appoint a data protection officer (DPO) and create awareness among chief decision makers about the GDPR guidelines.
- If you are outside the EU, appoint a representative in the EU.
- Train staff to be aware of new data requirements.
The Interactive Advertising Bureau (IAB) has also released a set of tools to help attain GDPR compliance.
Classify Your Data For Proper Handling
Much as you would label packages “urgent,” “fragile” or “return service requested,” all data collected and stored by a company must be classified to ensure that sensitive information is handled properly. Correctly labeling data should also raise awareness to the end user so that they understand what information is stored and how it will be used.
Data classification is typically the responsibility of the chief information officer (CIO) or chief information and security officer (CISO). In order to ensure compliance, make sure your technical data is up to date so that it can handle data classifications properly as well as requests from users.
Time For A User Interface Makeover
Make sure users can easily:
- Request access to their personal information
- Update their own information to keep it current
- Request that their information be deleted
- Request that your company stop processing their data
- Request that their information be transferred to them or a third party
Even if you’re not sure that GDPR applies to your company, becoming compliant makes good sense, Mitchell explained, adding that companies should announce GDPR compliance right on their websites, marketing materials, etc.
“At a time when data security (and lack thereof) is front and center on consumers’ minds, being able to say you are GDPR compliant is a huge plus in terms of giving consumers peace of mind,” said Mitchell.
Knowing Is Half The Compliance Battle
It’s a big world, and the internet connects us all. You never know who is accessing your business’ website or services and where they are at the time. For that reason, Mitchell says it’s better to be safe than sorry—and fined €20 million (nearly $25 million USD) or four percent of a business’ gross annual worldwide income, whichever is higher.
“GDPR specifically states that they will go after anyone—anywhere—who violates GDPR with respect to someone ‘in the union,’” warned Mitchell. “Plus, GDPR also has a private right of action, meaning zealous individuals will be filing their own grievances against companies wherever those individuals feel their rights under GDPR have been violated.”
According to a report by Crowd Research Partners, 60 percent of companies admitted that they are likely to be in breach of the law by the GDPR compliance deadline, and close to a third have not even started the compliance process. Will you be ready?
Editor’s Note: The information provided in this article is for educational purposes only and should not be construed as legal advice. Companies seeking GDPR compliance should consult legal counsel prior to making decisions regarding data privacy.