If your company collects any personally identifying information from residents of the European Community (including the UK) you may need to comply with the General Data Protection Regulations (aka GDPR) before the end of May, 2018. It's time to update your policies, info controls & processes!
Non-compliance with the GDPR means that your business risks facing fines and lawsuits; compliance gives all your customers -- in Europe and elsewhere -- the security of knowing why you collect data from them, how you use it, and how they can correct it if it's wrong.
How can you be compliant?Preparation means your audit needs to include summaries of what information you collect, including personally identifying information ("PII") such as names, email addresses, usernames and IP addresses, as well as information that is matched with PII, such as data about what site a user is coming from, how much time they spend on your site, and information they provide via forms or orders. Other necessary elements are documentation for the public on why your use of the information is lawful, how long it is retained and what the data is used for.
Compliance with the GDPR has a lot of steps. It begins with an audit of internal policies on data collection and usage, as well as retention, and may require coordination between IT, marketing, data analysis and the legal team. New policies will have to be drafted and shared -- and employees will have to be educated -- regarding the right to be forgotten and, where viable, data portability and subject access to data. Language to respond to data requests and comments will have to be created and put into operation, and restrictions on who can access data may need to be added. Record-keeping processes and documentation must be audited, and likely should be updated.
Does your site appeal to those under 16?While US privacy issues differ for those under 13, the GDPR will change the rules for those between 13 and 16. If your site appeals to users of those ages, then you need to either change the age limits for registrants and remove those under 16, or evaluate whether your site has to be in compliance with the requirement that permission from parents or guardians be granted before information collected from 13 to 15 year olds is archived or used.
Do you have a breach policy?The strongest penalties are for companies that experience a breach but fail to notify users and regulators promptly when a breach happens. It is vital to audit current practices, and create new notification processes that include a Data Protection Officer.