By now, you’ve probably heard the term GDPR.
And gotten anywhere from 1 to 100 emails about it from the likes of Google, Facebook, & more.
The compliance deadline passed on May 25, 2017, which means fines are fair game now.
But you might still be wondering what the regulation entails, who it affects, and how much fines could be.
That’s why we’re here. To break it down quickly and in an easily digestible form.
Here we go!
Who: This regulation affects any business that collects or processes personal data about individuals that reside in the European Economic Area (EEA).
If you’re not located in the EU, this does not mean you are safe from this regulation. It applies to any company that processes even one piece of data about one citizen in the EU. This is regardless of your business address and/or the address of your data processing.
What: “GDPR” is short for the General Data Protection Regulation.
Where: The European Economic Area includes the EU, Iceland, Liechtenstein, and Norway. Again, this location applies to any person you have data on, not your business.
When: The deadline for compliance was May 25th, 2018. This was after a grace period for two years already, believe it or not; the regulation was technically adopted in April 2016.
Why: To protect the security of citizens in the EU and surrounding areas. This is important to you because, if the regulation applies to your company and you are found to be noncompliant after May 25th, you could be fined 20 million euros or 4% of your global annual turnover.
An important distinction to be aware of is how your company is classified, if you’re affected. You likely fall into one of two categories:
Data processors are vendors that collect information for another company’s use.
Data controllers are companies that collect information for their own use.
Whether you’re a controller or processor, you need to know what personal data means.*
If you’re a controller, you need to be able to grant access to and deletion of data regarding any EU citizen who requests it, if you have their information in your database.
If you’re a processor, you need to be able to offer the ability to export or delete as a service or self-service to your controllers.
If you’re a controller, part of this means educating all customer-facing employees at your organization so they know how to respond to requests from EU citizens.
Some questions to consider:
- Have you taken proactive measures to communicate with your employees about how to respond to requests starting on May 25th?
- Have you taken measures to communicate a second time to catch anyone who may have missed your first training or announcement?
- Are your employees aware that they need to address requests from EU citizens within 30 days, and do you have a fallback in place to make sure that requests do not drop off?
- Do you have collateral to reference when employees have questions, are unsure about the process, or need a refresher?
- Do you have formal documentation ready in case you are audited by a compliance officer? (Having policies in place to address requests is important to regulators.)
*What is “personal data” under the GDPR?
Any information that is able to identify an individual — not just on its own, but in conjunction with other data. So if you can use a piece of data with another to say, this is one, specific, personally-identifiable person, then it is a piece of personal data. Examples include:
- Physical address
- Phone number
- Email address
Want more info? Check out what SevenRooms is doing to keep customers compliant.