Many have heard of the dreaded acronym “GDPR” and if you haven’t you most likely have been or will be soon affected by it.
What is it? The General Protection Regulation (GDPR) is long (99 Articles) and in a nutshell is a legal framework, setting guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). It came into effect in May of 2018, however many companies have not really considered the ramifications of GDPR and how it will affect their business.
Even if you do not do business with individuals in the EU, you most likely do collect their data in some way, shape or form, and if so, this applies to you. And starting to adhere to some of the guidelines will get you prepared for similar laws that are starting to pop up in the US (California Consumer Protection Act).
And honestly, it makes you a good Corporate Citizen, showing you care about your clients’ information, privacy, and their trust in your organization.
The main points to take away:
- Be sure you have asked for consent to collect and store their data and be VERY clear with how you intend to use it. You need to have a “lawful basis” to process the data, and only collect the information you absolutely need.
- You cannot use the data for anything other than what you have originally stated.
- Be sure you are adhering to standards and best practices for protecting and securing that data
- If there is a breach, have a thoughtful and immediate plan to communicate the situation to your clients and remediation steps. You must also make regulators aware within 72 hours of the event.
- Users of your website as well as clients can ask for where and how their information is stored. They can ask for a copy of it. They can ask you delete it. They can ask you to correct or update it. And they can ask that you discontinue or “pause” the use of your data, but not delete it.
- Make sure other vendors and companies that you work with and possibly share data with are compliant and you have a clear agreement on roles and responsibilities with regards to the data you collect.
- You must limit the storage of personal data for as long as necessary to achieve the purposes for which the data was collected.
- There are some pretty hefty penalties that come with non-compliance or a breach. This can be upward of hundreds of millions of dollars, based on the infraction and size of the company. There is also a steep cost to your company’s reputation if you have a major breach or do not disclose how you’re using clients’ data.
Having a plan, using the built-in tools and technology (many come with products such as Azure and Office 365), and being extremely cautious with your clients data is not only a good idea from a compliancy standpoint, but keeps you ahead of the curve in future laws and legislation that is eminent in the US.
My initial suggestion would be to have someone in your organization start putting a Data Protection and Compliancy plan together and designate someone or a team as point of contact should your clients have questions about the data you store for them. Don’t just say you care about protecting your clients and their data, really do it and champion it within your organization.