What do you need to know about the GDPR

You may have noticed a flurry of privacy policy updates in your inbox in the last few weeks. There’s a good reason for that – the GDPR is here and it could apply to you.

What is the GDPR?

The EU’s General Data Protection Regulation (GDPR) commenced on May 25 2018, and its impacts are being felt worldwide. These new rules for data collection and storage apply to all EU based companies and residents as well as any businesses outside the EU that handle the data of EU residents. Basically, this means that if you do business with any EU companies, or market goods or services to EU residents, then the GPDR applies to you.

The GDPR contains 99 articles that define what data can be collected and stored and the conditions of that storage. In addition, there is a requirement of explicit, voluntary consent for data collection, and an obligation to allow all individuals access to their data.

The GDPR regulates not just the usual private information – name, email address, street address – but also cookies, IP addresses, and location information.

Are you compliant?

The broad application and detail in the GDPR means that you need to adapt your response to your business. Implementation may not be straightforward, and you will need to build your response into everyday work practice.

Under the GDPR you will have to clearly define the data you collect and how you store that information. Moreover, the requirement of explicit, voluntary consent means that you must communicate in plain language, avoiding any jargon or legalese, and the customer must have a genuine opportunity to opt out.

If you share that information with any third parties, you will have to include a Data Process Addendum (DPA) in any agreement. A DPA should define the type of data accessible to the third party and their obligation to comply with your privacy requirements.

GDPR readiness will require, among other actions, a revision of your privacy policy, staff training and a review of many of your customer communication forms – for example, your email opt-in and contact forms.

What is different about the GDPR?

GDPRs hold companies to a higher standard to protect the rights of individuals.

While a lot of privacy regulations focus on a company’s duty to protect its data from hackers, these regulations require the company to demonstrate responsible privacy management. In this context, absence of breach does not ensure compliance.

Compliance with these new regulations will require companies to achieve this higher standard. And with penalties of up to 4% of your worldwide annual revenue or over US$23 million, they need to adapt quickly.

Sources: Regulation (EU) 2016/679; Forbes: The Biggest GDPR Mistake U.S. Companies are Making, Security Intelligence: Getting Ready for GDPR, CSO: GDPR is live!-Now what?, Forbes: Is Your Business GDPR Compliant?

GRC Solutions offers a wide-ranging library of Salt Compliance e-learning courses. Contact us today for more information.