The General Data Protection Regulation (GDPR), is a new data privacy and security law that strengthens the protection of personal data for citizens in the European Union (EU). It was intended to build upon the EU Data Protection Directive of 1995 through the following actions:
- Extending the obligations of entities that collect or process personal data
- Enhancing the rights of data subjects in the EU
- Adding harsher penalties for data privacy and security violations
The types of data protected under the GDPR includes basic personal information (such as names and addresses), extended personal information (health data, biometric data, racial or ethnic data, political opinions, and sexual orientation), and web data (IP addresses, cookie data and RFID tags).
How to become GDPR-compliant
GDPR was passed in 2016, but a two-year window was established to provide a grace period for compliance. Now that grace period is approaching its end — GDPR officially goes into effect on Friday, May 25, 2018. If you haven’t already made your data practice compliant with GDPR, now is the time.
Q: My business is not based in the EU — do I still need to comply with GDPR?
A: Any business that collects, monitors, and processes the personal data of people in the EU must comply with GDPR. So, if you are an U.S.-based business with a website or marketing campaign that has the potential for collecting and processing the personal data of EU citizens, then it’s critical that you make your data privacy practices compliant with GDPR immediately.
Ready to get started with GDPR compliance? Here are two basic steps you need to take to get on the right track:
1. Take stock of current data privacy procedures & policies
The first step is to determine exactly what you’re working with. That means taking an inventory of all the ways you are gathering, tracking, and storing user data. Where does it come from? Where do you store it? How do you use? What does your current privacy policy look like?
Once you’ve completed this audit, think about how the new GDPR regulations will change your current policies. Are there better ways for you to handle user data? Are there certain user data collection practices that you need to stop completely?
2. Seek out expert legal advice for guidance
To avoid putting you or your business in a risky spot, we strongly recommend consulting with your in-house legal team or reaching out to external legal counsel when carrying out GDPR compliance. The GDPR compliance process will be different for every business, so having a legal expert guide you through the implementation of GDPR-compliant procedures and policies.
Want to learn more about GDPR?
Read the full text of the GDPR law, or break it down with this summary of GDPR takeaways.