Brandi Thorne from Aires provides some guidance to help US-based companies get to grips with GDPR.
GDPR – four letters that have been a major topic of discussion for businesses since the end of 2016. But, what is it exactly? Schellman & Company, one of the top leaders in the US compliance industry, wrote a comprehensive blog post dedicated to demystifying this topic.
According to their post, the General Data Protection Regulation (GDPR) has been in effect since May 25, 2018 and was designed to uphold personal information rights of individuals and further unify the member states of the European Union (EU) in their endeavour to manage and protect data. So, the goal is to protect the information of EU citizens. Seems pretty simple, right? Well, not exactly. How GDPR affects US-based businesses is an even bigger conversation and deserves further exploration to understand the rules for compliance.
The United States is directly affected by GDPR because this privacy law is applicable to any business in the world that works within the European market. The data breach notification requirements are more stringent and will require that most US companies amend their policies to be compliant.
Naturally, the next question is how a US-based business becomes compliant? It is recommended to visit an official site, such as eugdpr.org, to learn about the process to become GDPR compliant. Since most of us are looking for straightforward points on how to do anything these days, Maureen Data Systems (MDS) summarizes GDPR compliance by asking these five questions:
- Where does your data live? Where you store data and its relevancy to GDPR is very important. Applicable data could be in several locations within your business.
- How do you take action? Once you have located your data, you can take action on how it is shared. You should delete ROT (redundant, obsolete and trivial) data.
- What is the current policy? The next step is to decide how you will handle the information. Consider the type of data you collect as well as how you handle and hold information. Storage of data and the length of time are a part of your policy review as well.
- Is your data securely stored? Ensure that your data security is positioned for success. It is recommended that you have an ambassador for your security programme to ensure that all systems are secured – especially with recent increased threats for cyber-attacks.
- Can you provide reporting? Ensuring a business is compliant means reporting should be provided to show regulators all steps that are being taken to meet the GDPR requirements.
Penalties and fines associated with this regulation can be in excess of 20 million euro or 4% of your company’s net income. So, take action! The sooner you invest in these compliance measures the better for your clients – and your business!
Photo: Brandi Thorne, Aires