GDPR: The big myth that could slide US firms into hot water.

It is now 12 weeks until the new EU GDPR legislation becomes a globally enforceable law. GDPR is an important new EU-mandated regulation: it provides the foundation for how organizations around the globe collate and process sensitive customer information belonging to EU residents.

Some say this is the best thing since sliced bread, in that it gives back a modicum of control to some individuals whose data is being processed willy-nilly in many organizations around the globe. In a time where the erosion of privacy is a heightened concern for many, this is a step in the right direction.

Others see the GDPR regulation as yet another set of hoops that legislators are forcing them to go through, and think it will do very little if anything at all in terms of better securing an individual’s privacy.

Whatever side of the fence you sit on – and even if you sitting right on the fence – the facts are these: it will soon be law that will impact all organisations which regularly collect or process the data of individuals covered by GDPR’s EU legislative scope – no matter where they are in the world.

MYTH: It does not affect my organization because it has no base in the European Union.

If you have a website that requests personal identifiable data, chances are you must abide of the GDPR requirements.

From travel and insurance to retail and online services, *any* organization that collates, stores or transmits volumes of sensitive personal information from EU residents must have the correct process in place by the deadline in mid-May 2018.

Let’s underline this point: It doesn’t matter if the data is collected outside the EU. It doesn’t matter if the data is processed or stored outside the EU region. If the data you collect relates to EU citizens, residents and visitors, and you do not follow the guidelines outlined by the EU GDPR regulation, your organization could be facing steep fines, not to mention legal costs and mandatory audits.

That’s right – you read that correctly, any visitor who is in Europe at the time that the data was collected is also protected by GDPR.

GDPR: Are you really ready?

Let’s be honest here – this is not a straightforward or simple piece of legislation. The regulation impacts data collection, processing and transmission by imposing new security requirements to secure the sensitive data at every step.

The EU resident must consent to giving you the data, as well as consenting to how the data will be used and shared. More importantly, the EU resident can request data updates, ask for all the information stored on him or her, and demand that his or her data is wiped from the database.

Here is a high-level checklist of requirements to act as an aide-memoire:  

• Review the consent policies presented, ensuring they abide by GDPR regulations. Ensure you are clear about what you are collecting and why. You must also request permission from the user before collecting sensitive information.
• Review or create a data management strategy to identify and classify data collated from users. You need to either treat all your data as stipulated by GDPR, or sort your data more finely, ensuring that data collected from the EU is handled according to GDPR governance.
• Review or create a governance plan setting out policies and procedures for how you will collate, process and store data securely. It is also wise to keep up-to-date records and logs to track the data through the various systems.
• Review or create a governance strategy for how you plan to manage the deletion of data, or its delivery to its rightful owner. GDPR gives the data subjects the right to request cessation of processing or dissemination of personal data. They can also request to have it erased if the subject withdraws consent or if the data is no longer relevant.
• Review or create a security strategy outlining the security infrastructure, procedures and policies that will protect the data from unauthorised access or use. Note that regular risk assessments are a GDPR requirement as well.
• Create a cybersecurity incident strategy, outlining notification procedures if a data breach occurs. For example, GDPR has a mandatory breach notification within 72 hours of discovering the breach.
• Get expert help. Trying to navigate this legislation without proper expertise is possible, but it will certainly be time consuming and frustrating. Consider getting experts in to expedite and simplify the process before any penalties become enforceable.