GDPR Compliance: Questions and Answers
Business owners, data managers, and startup teams working to move their companies through the fundraising process are facing a looming spring timeline related to GDPR compliance. This set of data management regulations was passed into law by the EU parliament in April of 2016, and as the May 2018 compliance deadline approaches, questions are beginning to pile up. Get these questions answered now and the next few months will roll forward on schedule. Wait till the last minute, and a small issue could become large enough to deter potential investors, at the very least. Here are some quick answers to the questions that may be holding you back.
I’m Pretty Sure The GDPR Won’t Impact Me, Since it’s a EU Law and I’m located in the US. Am I Right?
Probably not. The GDPR will affect every company that operates within the European Union, but it will also apply to all companies that collect, manage, or handle data for European companies and European customers. If you conduct any international business at all, this probably means you. Even if your stakeholders are all highly local, consider your growth plans in the future.
I Have Customers in the UK. Will the Outcome of “Brexit” Clear Me from Compliance Obligations?
Again, probably not. The UK may or may not retain the GDPR if it leaves the EU, but at the moment, GDPR regulations will indeed prevail in the UK. If nothing else changes, expect to be held accountable for the data of your UK customers just as you would for customers anywhere in Europe. And keep in mind that GDPR accountability extends to all service providers, partners, vendors and other entities with which your sensitive customer data is shared. It’s a good idea to stay on the safe side and strive for compliance now, even if you end up off the hook after Brexit is resolved.
Do I Need to Hire a Data Protection Officer? This is My Largest and Most Expensive Concern
You're not alone; This is a serious worry for small companies and startups with lean resources. You’ll most likely need to appoint a DPO if your company
- Is a public authority,
- Engages in systematic monitoring
- In of sensitive personal data (check article 37 of the regulation to find out if you fit that definition.)
I’ve Experienced Data Breach Exposure in the Past. Will this Affect My Path to GDPR Compliance?
No, not as long as you address your exposure and set up a system that allows you to notify the DPA and affected customers within 72 hours if a breach occurs in the future.
Is There One Simple Resource I Can Rely on to Help Me Prepare?
You can read the full text of the act right here:
And in the meantime, an experienced consulting team can help you organize your compliance requirements into specific milestones. There’s no need for concern if you take things one step at a time and start moving now!