The Night Before GDPR

Aaron Shapland

Twas the night before GDPR, when all ‘round the world.
All the companies were stirring, and emails were hurled…

As we all know – or should know – by now, the European Union’s GDPR comes into effect tomorrow. If you have not yet noticed the flurry of emails in your inbox over the past few weeks, then either you haven’t seen your inbox or you receive far too much spam.

Despite the GDPR being a European law, it impacts companies and organizations around the world. And since this is the most far-reaching and strict legislation that governs data in today’s world of data-centric decisions, it is important to be aware of what the GDPR is and how it affects you.

What is the GDPR?

The GDPR, or General Data Protection Regulation, is a new law that goes into effect in the European Union tomorrow, May 25, 2018. It gives people more control over their personal data, forces organizations to better protect personal data, and establishes a baseline, cross-border framework for how personal data should be managed. Data, in this context, refers to any personal information such as name, email, address, age, birthdate, and more.

Who does the GDPR impact?

It affects any business or organization that holds any personal data of any person in Europe – everything from customer or employee data to sales prospects on mailing lists. If you are part of a company or organization (either public or private) that does business in Europe, has employees in Europe, sends communications to anybody in Europe, or holds personal data of any European, then the GDPR directly applies to you.

While GDPR compliance is only legally required for those organizations with European data, it does set a baseline framework for trustworthiness and transparency that is long overdue. Even if your organization may not be legally affected by GDPR, implementation of GDPR standards is recommended – think of it as the new baseline expectation for companies everywhere.

What if I don’t comply?

If the GDPR applies to you (see paragraph above), then you have no choice but to comply. If you are found in violation, you will face fines of €20,000,000 or 4% of global revenue from the previous financial year – whichever is higher. And given the advance notice and ample literature on the regulation available so far, you can expect that EU authorities will be on full alert to find those organizations not complying.

How does the GDPR affect me?

The GDRP is comprised of 99 articles that outline how personal data is to be used, stored and managed. However, the robust regulation can be distilled into these key points:

1. Awareness:
Be aware of what and whose data you hold at all times, as you now have greater responsibility to safeguard it.

2. Preparedness:
Organize the data so it is cataloged, centralized, and easily accessible by the data owners (they now have the right to edit and request deletion of their data).

3. Responsibility:
Appoint a Data Protection Officer, who is responsible for overseeing all of the data, and inform data owners of how to contact this person.

4. Proactivity:
Implement security measures and protocols to protect the data. Any data breaches must now be announced to the data owners within 72 hours of discovery.

5. Communication:
Educate employees and clients alike on your data management approach. Transparency is the best approach, so keep the communication lines open and all language clear & concise.

Where can I learn more?

To learn more about the GDPR and its detailed policies, you can visit the EU’s website on data protection: https://ec.europa.eu/info/law/law-topic/data-protection_en