In his latest blog, Hu Yoshida posed this question:
"Should IT Departments Be Worried About GDPR?"
to which I respond:
Yes, IT Departments (even in the USA) Should Worry About GDPR!
The General Data Protection Regulation (GDPR) is a new European Union (EU) regulation intended to protect all EU citizens from privacy and data breaches in an increasingly data-driven world and will become law on May 24th, 2018. Now, don’t think that because you live outside the EU that this doesn’t apply to you. Even though the new regulation primarily addresses EU-based organizations, it also directly impacts organizations in the USA.
Do you . . .
- have offices or employees in the EU?
- market or sell goods or services to EU citizens?
- partner with EU-based organizations?
- process, store, receive, or handle in any way, data pertaining to EU citizens?
If so, you must comply with the EU GDPR guidelines. If you don’t you will face fines of up to 20,000,000 Euros or up to 4% of your company’s annual revenue!
Consider and plan for the following:
1. Data that already resides within your organization
If you’ve done business with, corresponded with, or collected information from any EU citizen in the past, intentional or not, you must identify any data that could potentially be used to identify an EU citizen, and make sure all storage, processing, and management of that data is compliant.
2. All new data collected
Does your organization operate, market or sell to individuals or businesses in the EU? You may need to put new processes in place to handle EU citizens’ data. Requests for product demos, technical support, emails and all incoming data must be classified according to where the individuals reside to ensure EU data is processed, stored, and managed in accordance with the new law.
3. If data is breached, altered, deleted, or destroyed
Does your organization keep a detailed, auditable log of the lifespan of each piece of data? Under the new GDPR guidelines, EU citizens must opt in to data collection, may request deletion of data, and must be expressly informed of the purpose(s) of use, duration of storage, and loss or destruction of their data.
Don’t wait. Get started now!
GDPR will become law on May 24th, 2018, but you can’t wait until then to do something about it. You need to start planning now so you are ready when it becomes law to avoid fines of up to 20,000,000 Euros or up to 4% of your company’s annual revenue!