The General Data Protection Regulation (GDPR) is a legal framework for the gathering and usage of personal information from those living in the European Union.
It has been called “the toughest privacy and security law in the world.”
Although this is a European law, many companies, universities, and nonprofits in the United States are subject to the GDPR, if they offer goods and services to or monitor online behavior of EU residents.
Goods or Services to People
in the EU
EU regulators will consider whether the United States organization caters to EU customers.
For example, a person in England could order flowers from a Denver, Colorado florist to be delivered for a friend’s birthday in Denver. Regulators would look at several factors, such as whether the florist advertises in the EU or includes euro pricing.
EU Online Behavior Monitoring
EU regulators would likely look at the organization’s web tools for cookie or IP address tracking of Europeans who visit their site.
How can you comply with GDPR?
The EU’s GDPR includes many updates and key differences from previous directives. These changes address today’s modern data-driven environments. Compliance is determined by an organization’s development of certain processes presiding over internal records and data breach notifications. Organizations must also appoint a Data Protection Officer and allow users to control opt-ins by choosing what and how their personal data is collected.
New GDPR requirements can be disturbing for data privacy professionals and those working in the compliance space. Organizations must implement privacy-by-design across all silos and verticals. In addition to a growing number of requirements, users must be notified within 72 hours of a data breach. Failure to comply with GDPR requirements can result in hefty fines.
GDPR Compliance Checklist
- NEnsure internal policies and procedures align with workplace and with the scope of GDPR requirements.
- NManage cases, individual requirements, regulatory reporting, crisis management, and individual reporting aggressively.
- NImplement multiple breach incident and reporting methods, and launch a comprehensive effort to update employees of their role in identifying and reporting.
- NDevelop an extensive training program for each employee around on all applicable GDPR topics.
- NEmbed privacy-by-design standards throughout your organization, and extend to all vendors and contractors with effective due diligence and third-party management.
Privacy by Design
Privacy-by-default and data protection must be embedded in all data processing technologies.
Policy and Process Updates
GDPR requirements should be integrated through the organization with tedious and regular updates and dissemination.
GDPR Compliance Training
Potential employee risks should be targeted. Training should educate team members of responsibilities under data regulation.
Timely Breach Notification
Reporting mechanisms should be in place to address data breaches immediately.
This information is not intended to serve as legal advice. Nor is it intended to act as compliance advice specific to the processes of any specific company. Application of compliance laws is a company-specific endeavor. We recommend that you contact compliance counsel to discuss the application of information found herein to your operations.