You may have heard about the upcoming European Union’s General Data Protection Regulation (GDPR) that will be going into effect on May 25, 2018. What is it about, what does it mean to you, and more importantly, what is Virtual doing to address compliance?
The regulation applies to all organizations gathering, processing and holding the personal data of European Union citizens, regardless of the organization’s location. It also addresses the export of personal data outside the EU. This data is not limited to banking information, medical information and address information. It also includes computer IP addresses, photos, email address, and even posts on social networking websites that can be used to directly or indirectly identify a person.
Organizations may acquire this information through various methods. Some is collected in website analytics, some is pulled from third party data sources, and some is even provided by the individual themselves. Regardless of how this information is obtained, the GDPR dictates new rules around user consent and greater rights for people to access and request deletion of the information organizations hold on them. It also contains requirements for mandatory security notifications. This is a serious matter, especially when considering that organizations will be jointly and separately liable for the data they handle and penalties for non-compliance will include fines of up to €20 million.
We are now at T- minus 6 months to the effective date and a delay does not seem to be in the cards. We believe the organizations should take action and begin planning if they haven’t already.
At Virtual, we are addressing GDPR compliance by focusing both on how we handle our own personal and analytical data as well as how we manage both for our clients. A key component in the compliance puzzle is third-party platforms. As such, we have been in discussions with our tools vendors and we are finding that we are a bit ahead of them.
Here is what Virtual is doing to prepare for GDPR:
- We are educating ourselves on the regulation and its impacts,
- We have established an internal, multi-stakeholder task force to identify potential impacts and to determine our course of action,
- We have compiled an inventory of tools our clients work with and are working with vendors to understand what they will be doing and when to ensure compliance,
- We have identified clients who are at the most risk with this regulation and will be proactively reaching out to them,
- We are looking at how we use data internally and how it could be impacted, and
- Finally, we are consulting as necessary with privacy experts to aid in compliance activities.
It’s not all doom and gloom though, the GDPR offers an opportunity for organizations to take an offensive approach on how they manage their data and the privacy of the people they interact with for the benefit for all parties involved before there is breach. We will be working hard to address GDPR as the compliance deadline looms closer. Stay tuned for more to come from us on this.
In the meantime, the official PDF of the GDPR can be found here, organized by chapter and article: https://gdpr-info.eu/.