5 last-minute GDPR resources to help bring businesses into compliance
This Friday is the deadline for compliance with the European Union’s new General Data Protection Regulation, widely considered the strictest law in the world in terms of regulating the collection and use of consumer data. In broad strokes, GDPR generally requires companies get clear consent for collecting people’s personal data and allows people to access the data stored about them, fix it if it’s wrong, and delete it if they so choose. Even if your business isn’t based in the EU, it may still be required to comply with GDPR if it collects data on people in the EU, and the fines for not complying can be severe: up to 20 million euros or 4% of annual revenue in the most egregious cases. If you’re still scratching your head about what you need to do to get ready for the new law, here are a few resources that can help. Parker, an automated chatbot from international law firm Norton Rose Fulbright, can help if you’re still figuring out whether your business outside the EU even needs to comply with GDPR.
Essentially a checklist in chat form, the tool can help you decide in a few minutes how concerned you need to be about the new regulation. This GDPR compliance checklist, developed by a group of startup founders from Belgium, can help you take the same rigorous approach to making sure you’re ready for the new law. While this guide is aimed at designers, it’s useful to anyone who’s involved in crafting websites, apps, or services that are going to potentially handle people’s personal data. Designers, developers, and managers all need to be thinking about what data they actually need to collect, and where they can store and process it. They also need to make sure users clearly agree to what’s going on and have the legally required resources to access, update, and delete their data if need be.
If you want to let your customers see the data you have on them-and update or delete it if they wish-but you also store data across multiple cloud vendors, you might have some work to do. One solution is to use a core tool that syncs that data to as many of those third-party cloud services as possible to simplify things when those user requests come in or you’re preparing your compliance documentation. Segment, which has long helped companies connect with third-party data services, has rolled out tools to help its customers track those requests, data updates, and user consent changes to forward them on to supported vendors.
How to Comply with GDPR
The GDPR is designed to protect the personal data of EU citizens, and to do so it regulates how such data is collected, stored, processed, and destroyed. Perhaps most importantly, the territorial scope of the law is very broad. Article 3 of the GDPR states that a company anywhere in the world is subject to the GDPR if it processes the personal data of anyone residing in the EU. It doesn’t matter if your company has no offices or employees in the EU, or even if no transactions are carried out in the EU. If you process an EU citizen’s personal data, then you need to comply with the GDPR or face the financial consequences.
While GDPR compliance is important, it is vital not to forget about the other compliance and data privacy regulations that may apply to your organization. This includes a GDPR checklist for data controllers and a GDPR checklist for data processors. Consider how to verify individuals’ ages and how you can obtain parental or guardian consent for any data processing activity. Designate someone to take responsibility for data protection compliance and consider whether you are required to formally designate a Data Protection Officer. The GDPR makes a distinction between a data processor and a data controller.
For more on Data Protection Impact Assessments, see How a Data Protection Impact Assessment Helps You Comply with GDPR.Right to access, rectification and erasure. How to protect customer information under GDPR. The GDPR is designed to protect Data Subjects, but it goes to great lengths to avoid spelling out in technical terms what you need to do to ensure that you achieve suitable levels of data security. It’s a common myth that the GDPR requires the use of data encryption, and some consultants appear to be pushing sales of encryption products by implying that all you need to do is encrypt all your data and you will satisfy 90% of GDPR requirements. Any encryption initiative will likely involve an encryption product that handles data encryption as well as manages encryption keys, and may also include a cloud encryption gateway to ensure that data that is sent to the cloud for storage or processing is also encrypted.
Detecting breaches is far from trivial – it takes an average of 191 days for data breaches to be detected, according to the Ponemon Institute’s 2017 Cost of A Data Breach Study.