GDPR Compliance in the US: Are you ready?
The General Data Protection Regulation (GDPR) is a recent set of proposed rules that are expected to help European countries address a host of thorny data privacy issues. If your company conducts business in Europe—now or at any time in the foreseeable future—there’s a strong chance that this new set of laws will impact your data management process, and if your current process is not on track to compliance by May of 2018, you may be falling behind.
The law has been designed to modernize and standardize data protection practices across all 28 EU member nations, and its text helps to clarify and codify some of the wild-west ambiguities that have arisen over the last decade alongside the corresponding rise of social media and cloud computing services.
With the law in place, any European citizen/customer who identifies a concern with a company’s data management practices can now take their concerns to data privacy regulators in their own countries (rather than the authorities in the countries where target companies are headquartered). In addition, the European law that protects a person’s “right to be forgotten” has generated some headaches for tech companies in the US, and these issues will be resolved and addressed as the GDPR becomes part of EU law.
What does GDPR mean for you?
As the GDPR goes into effect, compliance becomes the sole responsibility of any company that handles personal data, even if that company outsources IT services to another firm. For example, with GDPR in place, appropriate reporting must take place within 72 hours after the recognition of a data breach, and affected individuals must be notified on an equally stringent timeline—even if an outsourced company handles the data and recognizes the breach. Companies will also be held responsible for maintaining updated records and must install an official Data Protection Officer (DPO). Violation of the reporting timeline, record maintenance rules, or other aspect of the law may result in significant fines.
This represents a challenge for smaller firms and IT start-ups hoping to handle data and maintain data security while providing contract-based services to large firms. If your company isn’t GDPR compliant by the May deadline, you may face obstacles while seeking to win the trust of larger clients.
So how far have you progressed on the path toward compliance? Have you implemented role-based controls? Have you reviewed and simplified your file-access lists? Have you placed appropriate encryption protections on sensitive data? If you’re well on your way and likely to complete your to-do list by May, excellent. But if you’re still working toward the earliest milestones, it may be time to seek expert support. Contact our office and arrange a consultation with our team—we’ll get you on track to success!