May 25 marks one year since
American businesses became subject to the European Union’s General Data
Protection Regulation (GDPR). By one recent estimate, more than half of US
companies possess some data on EU citizens. Yet only a small percentage of
these firms is GDPR-compliant, and technically subject to the mind-blowing
maximum fine of $24 million US dollars.
Offering stragglers some comfort, attorneys writing for Fortune Online
note that “EU regulators are unlikely to start imposing such penalties right
away [and] even if they do come knocking, are likely to recognize good faith
attempts to comply.”
If you’re subject
to the GDPR, but not yet compliant, these steps can help demonstrate your good
#1) Know your data.
Understand, and be able to show, what information you’re collecting, how you
collect it, and with whom it’s being shared.
#2) Prepare to explain your process. If customers ask, you’ll have
30 days to clarify which data of theirs you collect and share (and how), and to
stop doing either or both if they wish.
Confirm your ‘lawful basis.’ Your company needs valid legal grounds to
process personal data. The GDPR identifies six instances in which you can
legitimately collect this information, the most bulletproof of which is user
#4) Have a breach-response plan.
GDPR gives you just 72 hours to notify authorities that a data incident has
occurred. Reduce risk by working closely with IT and leadership teams to ensure
they know exactly what to do and where to turn when customer data is compromised.