May 25 marks one year since American businesses became subject to the European Union’s General Data Protection Regulation (GDPR). By one recent estimate, more than half of US companies possess some data on EU citizens. Yet only a small percentage of these firms is GDPR-compliant, and technically subject to the mind-blowing maximum fine of $24 million US dollars. Offering stragglers some comfort, attorneys writing for Fortune Online note that “EU regulators are unlikely to start imposing such penalties right away [and] even if they do come knocking, are likely to recognize good faith attempts to comply.”
If you’re subject to the GDPR, but not yet compliant, these steps can help demonstrate your good intentions:
#1) Know your data. Understand, and be able to show, what information you’re collecting, how you collect it, and with whom it’s being shared.
#2) Prepare to explain your process. If customers ask, you’ll have 30 days to clarify which data of theirs you collect and share (and how), and to stop doing either or both if they wish.
#3) Confirm your ‘lawful basis.’ Your company needs valid legal grounds to process personal data. The GDPR identifies six instances in which you can legitimately collect this information, the most bulletproof of which is user consent.
#4) Have a breach-response plan. GDPR gives you just 72 hours to notify authorities that a data incident has occurred. Reduce risk by working closely with IT and leadership teams to ensure they know exactly what to do and where to turn when customer data is compromised.