In just one month - on May 25, 2018 - the European Union's General Data Protection Regulation, commonly called GDPR, will become not only the law of the land in Europe but across the globe. If you do business anywhere in the world and collect personally identifiable information (PII) on an EU citizen, you will be subject to GDPR regulations. Remember that GDPR is a privacy regulation, not a data security regulation, but the former certainly impacts the latter. Here are the Top 6 steps you need to take in order to become GDPR compliant. It is important to note that many information security and privacy experts disagree on the order of the steps, but in general they agree that these are the most important steps to put in place as soon as possible.
3. Put privacy protection policies in place and follow them. In the EU, corporate intent often overrides the letter of the law. If your company has policies and procedures in place for protecting PII and a breach occurs, regulators likely will be more understanding if a company tries to do the right thing and follows its policies and procedures. Unlike US regulations such as PCI DSS where companies need to follow the letter of the regulation, the EU views trying to do the right thing as critical to the process and sometimes more important than actually following the letter of the law if the former approach protects PII more effectively.
4. Hire a data protection officer. Actually, not every company needs a data protection officer (DPO). The local coffee kiosk likely would be exempt, but if your company has a web site that collects analytics, sells to EU citizens or EU companies or collects demographic data on EU citizens for any purpose, you definitely need to be GDPR compliant and have a DPO. That said, whom you name as a DPO — an existing employee, a new employee, a third party — opens an entirely new can of worms and has its own multiple levels of considerations.
5. Convert your data collection processes to opt in. In the U.S., most companies offer an opt out option to individuals and companies when it comes to collecting and using personal data. In the U.S., if you don't want to be in a mailing list, you need to tell the list owner and opt out, for example. The EU requires explicit opt in consent from the person whose data is being collected. In addition, the popular Terms of Service (ToS) document used by U.S.-based companies that include opting in as part of an unrelated approvals is not acceptable to EU regulators. According to the EU, it is not consent if the person has no other options other than to approve a long ToS document.
6. Delete what you do not need. Many US companies have a policy of collecting as much data as possible about their customers, even if they do not necessarily know how to use the data at the moment. This policy is not consistent with GDPR. If you do have data on an EU citizen, be prepared to request permission from the individual for you to keep the data. EU citizens have a legal right to ask you to produce on demand any data you have on the person and for you to delete data at their request. Here is a simple recommendation: If your company has data on EU citizens that the company does not require for business purposes, delete it now. If you do not have the data, it cannot be compromised in a breach and you do not have to produce it on demand.