Did you know the EU's General Data Protection Regulation (GDPR) came into effect on 25th May 2018?
Unfortunately, only an estimated 21% of U.S. businesses are ready to comply with the new regulation.
If your US-based company collects, stores, processes, or relies on data from EU citizens and you aren't ready to comply with the EU's regulation, you should start preparing before it's too late.
General Data Protection Regulation (GDPR) compliance for US companies is mandatory. As the new regulation states, failure to comply could lead to hefty penalties and fines.
Let's look at seven tips that can help you to prepare your company for gdpr compliance. DISCLAIMER: This article is not considered legal advice and we are not attorneys. If you have legal questions, contact an attorney.
1. Tackle One Thing at a Time
A data privacy complaint can cost you up your company's annual revenue, but that doesn't mean you should make snap decisions or do things in a hurry.
It's essential to ensure you're relaxed and ready to tackle one thing at a time to avoid making mistakes.
You should also involve your employees and clients in the preparation stages to ensure you're reading from the same script. Engaging them will also ensure they make GDPR compliance a priority.
Besides, they'll have confidence that the sensitive data you collect from them will be properly managed and put to good use.
2. Understand the Law
When preparing to comply with GDPR, you need to learn and understand what GDPR is all about. This will help to define your obligations and make the preparation process successful.
Here are questions and answers that will make it easy to learn what you need to know about GDPR. For legal advice, contact an attorney, as we are not a law firm or attorneys.
The GDPR is a regulation in the European Union Law that is designed to ensure data protection and privacy across Europe.
The regulation was approved in April 2016 and has replaced the 1995 Data Protection Directive.
Who Must Comply?
According to the Article 29 Working Party (WP29), the new regulation applies to any organization that handles sensitive data from EU citizens and residents or does business in Europe, regardless of its home country.
Who'll Adopt This Law?
All the 28 countries in the EU will adopt the new regulation in addition to Norway, Liechtenstein, and Iceland (Collectively known as EEA, or European Economic Area).
The United Kingdom, which left the EU in 2016, will also adopt the new regulation.
What Is "Personal Data" According to GDPR?
The GDPR defines personal data as information that can help to identify an individual. It includes physical addresses, names, health, birth dates, biometric, email address, and demographic information.
What Should You Do If There's Breach of Data Privacy?
A data breach that may pose a risk to the subjects must be reported to the EU's Data Privacy Supervisory Authority within 72 hours.
Affected persons should also be notified about the breach without undue delay.
3. Find out If You're a Data Controller or a Processor
GDPR will either view you as a controller or a processor. Make sure you know the category into which you fall before you start the compliance process.
What's the difference between a data controller and a data processor?
GDPR defines a controller as a person, agency, public authority, or any other entity that determines why and how personal data will be processed.
A processor, on the other hand, is defined as a legal or natural person, public authority, agency, or any other entity that processes personal data under the instructions of the controller.
4. Audit Your Data
Before you start the GDPR compliance process, you need to learn as much as you can about the data you have. You can start by answering the following questions:
- Who collects data?
- Where is it stored?
- Why do you have it?
- How long do you need it?
- Can it be deleted?
- Who can access it?
- Is it sensitive data?
Also, make sure you can get a single view of your data subjects. This will make it easy for you to delete the subject's information from everywhere you've stored it when the need arises.
There are database solution providers who can help you get a single view of your data subjects.
It's also essential to audit all the third party providers that have access to your EU data and ensure they're complying with GDPR. Don't just take their word for it. Instead, ask for documents that prove their GDPR compliance.
5. Ensure You have a GDPR Expert by Your Side
Not all organizations need a Data Protection Officer (DPO), but given the complexity of the compliance process, it may be wise to hire or outsource one.
You should ensure the DPO is a certified expert in data protection. Here are the roles that the DPO will play.
- Educate you and your employees about data protection and privacy
- Train the employees that have access to personal data
- Help you address data-related issues proactively
- Manage all records related to data protection
The DPO should be in a position to explain to your clients how you use their data and the data protection measures you've put in place. Most importantly, the officer should work with your legal team to determine which EU country will be your supervisory authority.
GDPR mainly focuses on one thing: consent.
You need to introduce new policies and procedures that will make your subjects feel they are control of their data. Introduce a feature in your system that allows a client to tell you how and when you can use their data.
You should also introduce new security measures that prevent your data from unauthorized access.
If you have to use the data for other purposes such as driving traffic to your website, you should inform your subjects and seek their consent first.
7. Segregate Your EU Data
It's advisable to segregate your EU data. This will make it easy for you to manage it and ensure everything you do with it complies with GDPR.
There are cloud-based database service providers that can help you to separate EU data from the rest fast and efficiently.
Final Thoughts on GDPR Compliance for US Companies
GDPR compliance for US companies doesn't have to be difficult or complicated. You only need to follow the tips highlighted above to make the compliance process smooth and successful. This will prevent compliance issues and the associated penalties and fines.
Remember to check out our blog for more articles about GDPR compliance and other interesting topics.