GDPR - DON'T PANIC!

GDPR - DON'T PANIC!
Joel Baglien profile picture

By Joel Baglien, VP Business Development

Categories:

Today, May 25, 2018, GDPR goes into effect.  To borrow some deeply practical advice from Douglas Adams, ‘The Hitchhiker’s Guide to the Galaxy’ . . . DON’T PANIC!

Despite the alarmist emails you may be receiving or dire warnings you hear from technology, legal, and other business types, the odds of GDPR causing you immediate difficulties are slim to none.  But, and there is always a ‘but’, you really do need to have a basic awareness of GDPR and whether it might affect your organization.  

The intended audience for this blog post are organizations with headquarters in the US and Canada.
 

What GDPR Is

GDPR is the General Data Protection Regulation is an European Union law on data protection and privacy for all individuals within the EU. Not located in an EU county?  GDPR also addresses the export of personal data outside the EU (door slams shut).  GDPR also aims to give EU citizens and residents control over their personal data (another door slams shut).  One last thing . . . GDPR broadens the definition of ‘personal data’ to include locations, browsing history, and IP addresses.

Adopted on April 14, 2016, GDPR had a 2-year transition period until it became enforceable – today!  Penalties for non-compliance can be up to 4% of an organization’s global revenue or 20 million Euros, (about $24 million) whichever is higher.

Let me repeat, DON’T PANIC!
 

GDPR Highlights

Consent is a big part of GDPR.  Consent must be explicit and clearly explain the purposes that data will be used for.  Consent for children must be given by the child’s parent or custodian and needs to be verifiable.  Recording of phone calls have very specific rules and restrictions under GDPR.

GDPR provides a 'Bill of Rights' for personal information.  There are eight 'rights' under GDPR, the most commonly referenced are the following four.

Right to Be Informed - If an organization has a data breach, GDPR has specific rules and timelines that require notifications to supervisory authorities as well as the individuals who’ personal data may have been compromised.

Right of Access - When a customer requests a copy of their information, it must be sent for free within a month of the request, typically in an electornic format.

Right to Rectification - Organizations must amend incorrect or incomplete information (in a timely manner) when asked to do so by a customer.

Right to be Forgotten (aka 'Right to Erasure') - An EU citizen can request that any personal data related to them be erased by an organization from all systems.

Data protection by design and default is another component of GDPR. This means an organizations privacy settings must be set at a high level by default and that both technical and process measures must be in place to ensure that personal data is not processed unless it is necessary for a specific purpose.

Again, for the record, DON’T PANIC!
 

GDPR Impact

Cost?  Research conducted by Dimensional Research  in May 2017 found the following:
  • 55% of respondents will be investing in technology and tools to help with GDPR compliance
  • 83% expect GDPR spending to be in the six-figures
  • 25% of large companies expect to spend over $1M to address GDPR
The security and privacy professional participating in the research worked for organizations with a minimum of 500 employees with 92% of the organizations headquartered in the US or Canada, 5% headquartered in an EU country, and 3% in Asia Pacific, Central America, or South America.

If you are a company based in the United States, you need to be thinking about GDPR if you have EU citizens or residents sharing some of their personal data with you via a website form or a phone call. This sharing of data might be in the form of a request for product information, an online college application, an online warranty registration, or any number of other types of contacts.

One more time, DON’T PANIC!
 

GDPR First Steps

There are some practical steps you can take to move thinking and action about GDPR forward in your organization. It would be too easy (and self-serving) to say hire High Monkey to help you with GDPR planning and compliance . . . so I won’t say that.  Some first steps you can take are:
  • There are a lot of practical guides to GDPR – there are several books available, some guides are published by product vendors like Microsoft, SAP, and IBM (to name a few) – other guides are published by law firms or consultants.  Do a search and read a few of them to get familiar with GDPR. Our favorite CMS from Kentico has a great white paper titled ‘CDPR Compliance and Your CMS’ available online.
  • The process around how GDPR will be investigated and enforced has a lot of unknowns. There will likely be a few large profile cases that happen in the next several years . . . think in terms of organizations with a business model that is all around collecting personal data. How those first few enforcement cases roll out will set a tone.
  • If you can prove that your organization does not have any contact with EU citizens or residents, you probably don’t have much to worry about.
  • If your organization possesses personal data that has been provided by at least one EU citizen or resident, you should:
    • Start looking at how you solicit consent and the phrasing you use
    • Understand all the locations that personal data is stored (websites, databases, file shares, portals, spreadsheets, documents, directories, etc.)
    • Review your organization’s policies and practices for data retention and data security
    • Begin creating a process to handle requests from EU citizens and residents who ask to be provided with a copy of their personal data your organization may possess, or who invoke their ‘right to be forgotten’.
  • Look at tools that are GDPR compliant or that have tools that help you achieve compliance.  We are a Kentico CMS Gold Partner and we recommend the Kentico platform for websites (in part) because they are leaders in building processes and best practices into their Content Management System product. Kentico has some great information about GDPR and data protection available on their website.
  • Make a good faith effort toward GDPR compliance and document it.  This step can make a big difference in how penalties are assessed and whether your organization is given a ‘grace window’ to achieve compliance.
If you have questions about GDPR and what steps you can take within your organization, please contact High Monkey – Joel Baglien, VP Business Solutions – jbaglien@highmonkey.com or 612.594.7671

And, of course . . . DON’T PANIC!



Note: This blog post does not constitute legal advice or guidance.