U.S.-based organizations that do business in the EU or with EU citizens may be impacted by the General Data Protection Regulation (GDPR), which went into effect May 28, 2018.
The European Union’s far-reaching new General Data Protection Regulation is changing the privacy landscape. Simply put, GDPR puts strict monetary penalties in place for the improper usage and protection of an individual’s data.
GDPR checklist
Here are some questions to help you start to gauge your GDPR readiness, assuming you are subject to GDPR:
Are you collecting, processing, or storing personal data related to the EU? GDPR has specific rules around how personal information is collected, processed, and stored, including third parties that may be providing data processing on your behalf. Be sure you understand how data flows so that you can identify and resolve gaps. If member data is used externally, talk to your vendors about their GDPR compliance.
Have you asked permission? Can you handle opt-in and opt-out requests? Affected organizations are required to get express written consent from individuals regarding their data use, provide users with notices about their rights under GDPR, and manage informed consent notices.
Do you have internal processes in place to comply with the 72-hour mandatory breach notification? GDPR requires you to communicate with affected consumers quickly following a breach of data. You may need to consider building these messaging systems into your existing business processes.
Do you understand how GDPR intersects with existing U.S. regulations? One provision of GDPR that has become a talking point is the “right to be forgotten,” and how it intersects with regulations that may require organizations to retain personal data.
Is your board or executive team trained on GDPR? The rules are complex and the change will be monumental for some organizations, so be sure to build awareness — and support — from your leadership.
Are you able to report about your compliance management should you be asked for it? Be sure you can show evidence of GDPR compliance in the event that it is applicable and a regulatory body requests it.
Have you built a pathway to compliance? A comprehensive understanding and evaluation of your operations, information technology environment, and the vendors you utilize are critical to understanding your level of risk and what steps you should take to transfer, mitigate, or accept those risks where applicable. Make sure you understand your risks and evaluate them whenever your operating environment changes (e.g., process change, physical change, technical change, personnel change, or vendor change).
How we can help
We, along with your lawyers, can help you determine your GDPR readiness by mapping the data flow in your organization and assessing the effectiveness of your controls. Our GDPR data impact assessment will help you identify how to implement and enhance any current safeguards through controls, policies, and procedures to adapt to the evolving regulatory and threat landscapes.