Time moves fast, and that is especially true in the world of business regulation and compliance. It’s already been a year since GDPR, the European Union’s privacy law, went into effect. It took two years after GDPR was passed by the European Parliament, the Council of the European Union and the European Commission for it to be enforced across the entire EU and larger global economy. Questions still remain for many U.S. companies regarding GDPR compliance and enforcement, and the ripples of GDPR are still spreading across industries. One thing is clear: GDPR changed the landscape of data collection and protection, and there is no going back.
Looking back, what is GDPR, exactly?
GDPR stands for the General Data Protection Regulation. GDPR is a framework that sets the guidelines for the collection and processing of personal information of European Union citizens. It replaces a previous regulation, the Data Protection Directive.
Who needs to be GDPR compliant?
GDPR affects U.S. companies as much as international ones. Any company that stores sensitive information of an EU citizen, regardless of where that company is based, is mandated to comply with GDPR. That description includes industries that may seem surprising at first — such as video game production companies, marketing and advertising agencies, healthcare, and even beauty and cosmetics companies. Despite the fact that all companies globally were expected to be GDPR compliant by May 25th, 2018, the reality is many companies are still unsure if they need to be GDPR compliant and if they do, how to get there.
Is your company GDPR compliant? Contact us to find out.
What kind of information is protected by GDPR?
Many companies mistakenly believed that GDPR was an IT issue, but the reality is GDPR includes so many types of personal data that its enforcement affects many sectors of business. Personal data protected includes:
• Photos featuring the individual
• Email address
• Date of birth
• Salary and tax data
• Banking information
• Social networking information
• Location details
• Medical information
• Computer IP address
How does my company become GDPR compliant?
If your company needs to be GDPR compliant and isn’t, it’s important to work toward compliance quickly. There are a few steps you’ll need to take to achieve GDPR compliance:
Create and maintain a Personal Data Inventory.
Your company must document the location and usage of personal information. This can be done retrospectively at first, and then monitored. Once you have an inventory, you can use it to classify types of data and how and when each type is used.
List tools your organization uses to collect, store or transfer personal data.
Knowing which applications and tools are collecting or storing data helps keep your Personal Data Inventory up-to-date and compliant.
Secure personal data.
A solid data security policy that includes protecting points of personal data storage and transfer is key to maintaining GDPR compliance.
Review HR and Legal policies.
It’s important that your talent management applications and legal policies also protect any personal data they may collect. Look at each department of your organization for possible personal data collection points, and address each one as part of your overall GDPR compliance plan.
Create a GDPR compliance mission statement.
You’ll need to draw up a GDPR compliance statement that shows where and how you collect personal data as well as where and how it is stored and transferred. Be ready to show this document to vendors and clients.
Appoint a GDPR Data Protection Officer.
This applies to data processors and controllers. GDPR requires a DPO be available for EU citizens to contact regarding personal information storage and usage. The DPO is also responsible for monitoring compliance.
How will Brexit affect GDPR?
Just as the world was getting used to GDPR compliance, Brexit broke open a whole new host of questions. Will UK citizen data still be protected by GDPR, or will the country revert to the Data Protection Directive, or some other privacy regulation?
The reality is not much will change for UK citizens’ data after Brexit. The UK instituted GDPR protection in its own Data Protection Act the same year GDPR went into effect. If your company processes personal information of UK citizens, you should continue to operate in GDPR compliance.
What is the future of GDPR?
GDPR broke open the conversation of how companies collect, store and use personal data of private citizens. While it only applies to EU citizens, it has raised the bar on personal data security for many U.S. citizens as well. And there’s no going back, which is a good thing. Some of the top technology companies in the world are talking about how they should be protecting data for all citizens and calling for global data security rules.
GDPR is just one regulation your company may need to follow. Multiple regulations mean multiple audits, which can lead to lost time and money for your business. There’s a better way: an integrated compliance solution.