The EU’s General Data Protection Regulation (GDPR) is coming in May 2018 and preparing for it will be a time-consuming and daunting task.
Many organizations are not prepared. Gartner expects that, by the end of 2018, over 50% of companies affected by the GDPR will not be in full compliance with its requirements.
And, as we have reiterated, it is not just organizations residing in EU countries that are affected. GDPR affects anyone processing personal data for the offering of goods and services to, or monitoring the behavior of, data subjects within the EU. This includes the USA among other countries.
So, for those of you that might be one of the unprepared, and you are not willing to risk sanctions for noncompliance, here is what immediately requires your attention.
In a white paper, Gartner has identified five high-priority changes that will help you get up to speed with GDPR requirements.
- Determine your role under the GDPR.
- Appoint your data protection officer.
- Demonstrate accountability in all processing activities.
- Check your cross-border data flows.
- Prepare for data subjects exercising their rights.
We will discuss #1 - determining your role under GDPR - in this blog. Ask yourself the following questions:
- Do you offer goods or services to people in the EU?
- Do you monitor behavior (including online activity) of people residing in the EU?
- Do you process personal data on EU residents on behalf of a company based in the EU?
If you answer yes to any of these questions then your organization is probably subject to GDPR. In addition if your organization decides why and how personal data is processed, it is essentially a "data controller." If so, you should appoint an EU-based representative to act as contact point for the data protection authority (DPA) and data subjects.
This is a good start. The next change – appointing a data protection officer – will take a lot longer to explain in my next blog.