Yes, even if you’re not based in the European Union (EU), the General Data Protection Regulation (GDPR) applies to you.
Really? Even if I’m not in the EU? Yes, it doesn’t matter whether you have a physical presence in the EU.
The EU’s GDPR affects all countries and applies to any business or organisation that holds personal data on or provides goods or services to EU citizens or EU residents.
So, if you hold information about present or past employees, clients or suppliers who are EU citizens or EU residents you need to comply with the GDPR. Even if you don’t offer your product or service directly to consumers, but rather provide a service to an EU company that leads to you in some way processing personal data on EU citizens or residents, you’ll need to comply.
Large multinational companies like Facebook with its online social network, Google with its search and cloud storage, Amazon with its e-commerce and Airbnb with its international accommodation rental all fall within the reach of the GDPR. But so do smaller companies.
All businesses had until the 25th of May 2018 to comply (in theory). From that date companies are at risk of sanctions for non-compliance which can reach up to 4% of global revenue.
Compliance is not a once-off exercise. but an ongoing exercise. Many organisations will need to rethink what data privacy and protection means and will need to improve the systems they use for collecting, processing and storing data so that they meet the GDPR requirements.
The GDPR stipulates Data Protection by Design that you may only collect, use and store personal data for specific purposes. The you should minimise the personal data collected from consumers and should not retain the personal data beyond its original purpose. You will need to ensure you’re securing the personal data adequately and will also need to respond to any security breaches of this data.
Most importantly the GDPR gives individuals access to and ownership of their data. You’ll need to be able to respond to individual’s data requests.
Prevention technology and process improvements alone will not help you achieve compliance. The people within your organisation will need to be aware of the GDPR and how it will affect their responsibilities. You will need to train current and future staff on how personal data can be used by your organisation. Your data protection policies need to be communicated to your employees and made available to the public via your websites and other communication portals.
The new requirements imposed by the GDPR may seem daunting, especially to smaller organisations. But there are ways to simplify the implementation and maintenance of your data protection program. You should start by getting executives to buy into the program and by assigning responsibilities amongst staff. You should consider appointing a data protection officer, engaging a consultant or using a GDPR compliance service like PrivIQ.
A GDPR compliance service will simplify the process of compliance. An initial assessment will allow the service to generate a compliance based upon your organisational needs. The service can serve as a repository for all your governance and compliance documentation and a portal for managing employee training, thereby providing a coherent audit trail documenting your compliance efforts.
The advantage of using a GDPR compliance software is that through the provision of guidelines, checklists, procedures and staff training programs it will enable you to reach and maintain compliance on your own.