What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation that protects the data and privacy of anyone living in the EU, enforceable on May 25, 2018. The regulation applies to all companies and organizations, regardless of their location, that collects or processes EU resident’s data. Examples of personal data include social security numbers, names addresses, IP address, photos, genetic data and nearly everything that can be used to identify an individual.
Controllers and Processors
GDPR compliance requirements apply to controllers and processors of data. The controller is the organization that must tell consumers, in plain language, why and how they process personal information. The processor is the organization that is performing the data processing. Controllers are responsible for ensuring that their processor is GDPR compliant.
Ensuring GDPR Compliance Checklist
1. Discover what the GDPR defines as personal data. The official GDPR website has a list of personal identifiers, go through your organization and determine which of these identifiers you collect as part of doing business. If you have no dealings with EU residents, you can stop here. Remember, cookies and mailing lists count.
2. Check your organization’s website to ensure you tell visitors in plain English how to opt in or out of providing personal information that is not necessary for you to provide a service, such as shipping them a product that they bought. Don’t pre-check boxes, such as signing up for your mailing list, when the customer is entering their shipping information.
3. Access your risks. Your organization is required to have a Data Protection Impact Assessment that outlines how you access risk and the measures you will take to protect personal data.
4. Understand UE citizen’s data rights and how you must respond to their requests.
5. Look at the third-party vendors that have access to the personal data your organization collects; it is your responsibility to ensure their compliance.
6. Create a plan for a data breach that is GDPR compliant.
7. Create a plan to ensure legacy data is GDPR compliant.
This checklist shows you how much work is involved in becoming GDPR compliant, however, it is not complete as the compliance requirements are complex. There are 11 chapters to the official document of the GDPR regulation, totaling 99 pages.
Even small businesses in the U.S. with one employee must comply with the GDPR. If you operate a business or organization that deals with EU residents in any way, you should consult an attorney to interpret the document to ensure you are compliant. There are stiff fines, penalties, and sanctions for non-compliance.
