The European Union adopted the General Data Protection Regulation (GDPR) in April 2016 and allowed a two year period for companies to become complaint with the new, more stringent rule and regulations. May 25, 2018 is the big date to remember–it’s the day the GDPR becomes enforceable. There is no grace period after this date. In fact, there’s a big countdown clock on the GDPR website, and as of the publishing of this blog, there are just over 100 days left to become compliant.
Don’t panic! If it’s any comfort, you are far from being the only company that isn’t compliant Yet. According to a 2017 survey from TrustArc, 61% of US companies and 64% of UK companies surveyed had not begun implementation of their GDPR compliance programs. While it’s a tedious process there are a few things you can do right away to save some time.
Maybe you just got caught up in all the GDPR news or were scared by the big numbers of the possible fines. You’ll certainly save time if you don’t need to become GDPR compliant. So, start by seeing if you need to comply at all. Our first blog in our GDPR Basics Series should help you figure that one out. However, even if the GDPR doesn’t affect you currently, you might still take time to learn about it and adjust your personal data practices to follow suit just in case things ever change.
If the GDPR does apply to your business there’s a ton (possibly an overwhelming amount) of information available online about it. So where should you get started? In addition to the regulation’s website above, The Information Commissioner’s Office of the UK (ICO) has a wealth of information and frequent updates. Yes, even with Brexit the UK still needs to be GDPR compliant. There’s also the International Association of Privacy Professionals. This IAPP blog series covering 10 Operational Impacts of the GDPR has some great information.
The GDPR doesn’t only cover data you collect from May 25 and on, but also all the personal data you’ve already collected. The good news is, if you collected that data in a GDPR compliant way you get to cross a lot of work off your list! We’ve created a Privacy Consent Gap Assessment to help you figure this out. After the assessment you'll know how your company can improve its consent measures, and proactively work to prevent fines that flow from noncompliance.
Any controller regulated under the GDPR will need to have a data processing agreement (DPA) with any third party it shares data with. The controller must enter into contract with the processor concerning the subject matter, the nature, the purpose and the intended duration of use for the personal information being processed. Articles 28-36 set out what is to be included in the DPA. We’ve noticed that updating data processing agreements can be a major hurdle to GDPR compliance. Fortunately we’re hosting a webinar on February 20 that will help solve this problem. Click here to register today.