By now, you know whether the European Union’s General Data Protection Regulation or GDPR’s strict and far-reaching data and privacy protection laws apply to your organization.
What may not be as clear is what pursuing compliance means to you, how it may affect your operations, and which aspects of GDPR you and your team should be considering right now.
Opportunity or obstacle?
For many US firms, complying with GDPR is a little of both. For example, if you don’t currently compete in Europe, your investment in compliance could open the door to new sales and growth opportunities in the EU’s 28 member states. Compliance also earns you the right to pursue millions of new European customers without fear of the severe financial penalties regulators have set forth ($24 million US dollars or 4 percent of your global revenue, whichever amount is higher). Also in the ‘opportunity’ column, according to Forbes, are expanded business benefits including:
- Enhanced cybersecurity
- Improved data management
- Better marketing returns
- Greater trust from current and future customers
On the flip side, aligning with the GDPR gives European customers who buy your products or services greater control over your operations–specifically, how you collect, process, store, and dispose of their personal information. It’s not cliché to call this change a true ‘paradigm shift’ in data management. As one European data-governance expert puts it: “Compliance is all about understanding that individuals now own their personal data; you’re merely hosting it for them.”
What to do, what to ask
Establishing and proving GDPR compliance may also require a significant financial investment in updating processes, infrastructure and manpower resources, including adding staff, such as a Data Protection Officer. To determine where you are right now and how far you’ve left to go, here are some tips and questions to take up with your team, including your legal counsel, internal business and technical leaders, and IT Managed Services Provider.
Know your data. Under GDPR, you’re responsible for identifying and securing any and all data that your business retains. Depending on your company’s size and type, this may be a smaller or larger task. Such in-depth self-examination may be new for many firms, and therefore potentially onerous. Just know that compliance requires you to respond to questions like these, from auditors, customers or others whose data you hold:
- What kind of information do you store?
- Where does the data come from?
- Where is the data stored?
- What is it used for?
- How is it secured?
- Who has access to your data?
- How much information is sensitive or personally identifiable?
- Could you collect less data and still get by?
One more thing: in this brave new world you will be required to display something called ‘fair processing notices,’ which include many of the points above, as well as an explanation of where else you may send user data, and how long you intend to store it. Be forewarned: “Existing Privacy Notices are unlikely to be sufficient to comply with the regulations, which lay out new detailed requirements that Privacy Notices must meet,” cautions EU business and legal analysts at Lexology.
Check your consent policies. If your data collection requires it, the methods you use to obtain user consent, as well as the language explaining your opt-in practices, must be clear and explicit. No more pre-ticked checkboxes or other info-gathering mechanism that regulators could consider tricky or deceptive. Points to review with your team include:
- What is our current opt-in policy?
- Specifically, what are users opting in to receive?
- Can we prove that consent is specific, unambiguous and freely given–from everyone in your database?
If not, consider emailing the whole lot again and resoliciting their opt-in consent.
Get help if you need it
Use the tips above, and those you gather from other sources, to conduct a thorough audit of your data collection, handling, storage and disposal practices and policies. Consider asking your team to refresh its knowledge GDPR’s 11 Chapters and 99 Articles, and to review our GDPR Data Privacy Primer for Small Business, Part 1 and Part 2.
If you find there’s room for improvement and/or steps needed that exceed your available time, expertise or resources, give TeamLogic IT a call and tell us how we can help.