This article can help your organization understand and comply with the European Union's General Data Protection Regulation (GDPR).
Originally published in H1 2018 D365UG/CRMUG and BCUG/NAVUG magazines.
Every day there is more and more information about General Data Protection Regulation (GDPR) and the May deadline that is fast approaching. Unfortunately, much of the news is about companies that aren’t prepared at all or are late in their
preparation toward compliance. There are many reasons for this lack of preparedness, the biggest being the misconceptions around GDPR. Let’s try to break down a couple of those misconceptions in the hope that your company can quickly get on the road to compliance.
GDPR is a regulation from the European Parliament, adopted in April 2016 with a deadline of May 25, 2018. It governs the rights to personal data of European Union citizens. Think of it as digital rights around the privacy of one’s personal data. It provides guidelines on how the data is to be stored and handled, what rights EU citizens have to their personal data, and how companies must handle this personal data. Just like you have rights to your property, the regulation defines the rights to your personal data as well.
So, with the definition out of the way, let’s start with the biggest misconception about GDPR: It only applies to companies who are headquartered in the EU. While it is true all companies in the EU are having to address GDPR, it is not because of their location. Rather, GDPR is designed to protect the personal data rights of all EU citizens, regardless of where they might live, or what country they might work in. Wherever the personal data of an EU citizen is stored, regardless of location, is covered under GDPR. Companies around the world, including the United States, need to address GDPR and its impact on their business.
Second, many believe GDPR to be an IT and legal issue. Again, this is simply not true. While it is certainly accurate that IT and legal teams will need to be involved in activities to address compliancy, GDPR is much more than a two-department issue. Rather, it involves an entire company, from the top down. It includes executive understanding and commitment as well as involvement from not just IT and legal, but also from operations and any department where EU citizen personal data might be collected and utilized. This also includes HR processes when your company employs EU citizens. No department is exempt from being reviewed when designing a program for GDPR compliance. Privacy or security by design is one of the themes of GDPR, and that can only be implemented successfully if all parts of a company are aligned around GDPR compliance activities.
Finally, the third biggest misconception about GDPR is that it is all about the “right to be forgotten”. While it is true this right is clearly spelled out in GDPR, it is only one of many rights related to EU citizens and their personal data. The rights also include: Access, rectification, restriction of processing, data portability, object, and to not be subject to automated decision making and profiling. Each of these rights requires companies to take action and update their business processes to make sure their handling of personal data can accommodate these rights. This requires much more than just an exercise to erase or forget the personal data of an EU citizen if requested.
So, with 11 chapters, 99 articles, and 173 recitals in the regulation, there is a lot of information for you and your company to understand when it comes to GDPR and becoming compliant before the May 25, 2018 deadline. Many, many companies are behind in the work required to become compliant, and some may even choose to just pay the fine, which is 20 million Euro or four percent of annual revenue. If your company hasn’t started yet, odds are you will not be able to have everything in place by the deadline, but if you have started the exercise to reach compliancy, and you can document your plans and actions, that is a step in the right direction.
No one knows for sure how the many audits around compliance will play out. When, where, who, and how much are all still to be determined later this summer when it comes to these audits. Having a plan in place and getting your work completed, perhaps before you even get audited, are steps in the right direction to meet the regulation. Either start now or finish strong with your current activities related to GDPR; just don’t make the mistake of assuming it doesn’t apply to your company, because for most companies, it probably does.
This Webinar Speed Read is a summary of the tips and tricks shared in “GDPR: What Is it and How Does It Apply to My Company” delivered by Frank Vukovits of Fastpath. You can view the full webinar at https://www.crmug.com/crmug/participate/recordings (search by the title name).
