What Your Organization Needs To Know About GDPR Compliance

If your organization collects data from citizens of the European Union, you should be aware of the new General Data Protection Regulation (GDPR). Effective May 25, 2018, GDPR will introduce a major shift in how users' personal data is handled by businesses.

Instead of attempting to deal with a patchwork of national laws, GDPR applies to entities controlling or processing personal information in the EU and to entities outside the EU performing the same activity regarding people within the EU. This could mean your American company may be required to comply.

GDPR's concept is simple: users, not businesses, should control their personal information. Nevertheless, the implementation of that simple concept may be tough thing to do. Currently, organizations that harvest and monetize user data could, up until now, inform users of that practice by using long, unreadable privacy policies.

That will no longer be acceptable under GDPR. Users will now need to separately agree to some uses of their personally identifiable information (PII) by a business. GDPR greatly expands the definition of PII to include any unique ID, including cookies, RFID tags, or other information that, alone or combined with other information, could be used to identify or single out an individual.

Further, using generic privacy policy phrases as "we use third-party service providers to help us process your personal information" is no longer acceptable for those subject to GDPR compliance. If you have a legitimate reason to collect, process, or transfer PII, you must notify those people in clear, unambiguous terms. Inform your users about everyone and every entity that uses their PII and why. If a user wants you to stop, stop. If they want to access, correct, delete, or transfer their PII, you need to help them as if their information were tangible personal property.

Complying with GDPR will involve a thorough study of how your organization collects, stores, and uses the PII of your EU users. This includes how third parties use your data.

Know all the information collected, plus data sources, and why they are collected. Learn where that data is stored, and for how long. Know who has access and how the data is shared. Under Article 13 of the GDPR, the users must be informed about the storage period for their PII data, how they can access, rectify, erase, transfer, or restrict the processing of personal data; their right to withdraw consent; their right to complain to supervisory authorities; and whether the information provided will form part of a profile. "GDPR Compliance Tips for Small and Medium-Sized Businesses," www.cobar.org (Feb. 2018).


Commentary

If your organization does business with an entity that deals with

European Union citizens’ data, you are subject to the General Data Protection Regulation, which means you will need a data protection officer (DPO). That officer will oversee organizational compliance with the new privacy rules.

At a minimum, some experts suggest, a DPO should know the difference between paper-based compliance and real compliance. Although a DPO may have a legal background, compliance or security professionals with more of a privacy background could also be good candidates. Hiring from within an organization may be faster and easier because an inside hire who already knows the business’ privacy needs may get the organization up to speed faster.

There are geographic considerations, as well. Companies not based in the EU must decide whether DPOs will be based in an EU city or closer to their main headquarters. Experts suggest that it is important that DPOs establish a relationship with the EU regulators; this may be the deciding factor to base the DPO in an EU country. Speaking the country’s language could be a great asset as well.

Given the nature of the DPO’s duty, many experts believe that the DPO should be as close to the location of the company’s data collection as possible, wherever that may be. The closer the DPO is to the data and to the people gathering, processing, and controlling the data, the better. GDPR compliance is not a one-time effort. It will be a long-term project, and being further away will just make the job more difficult.

Finally, your opinion is important to us. Please complete the opinion survey: