Are we closing the barn door after the horse has already bolted? Yes and no.
Yes, it’s a bit late given that the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25th and here we are, 2 months later, talking to you about it. Not to mention that the regulation was passed in April of 2016, so companies had 25 months to figure it out before it went into effect.
No, it’s not too late to talk about it because many, many companies are still trying to figure IF and HOW it affects them. No wonder. The regulation consists of 11 chapters, within which there are 99 articles, and 173 recitals. Realizing that I would never have time to plow through all of that, I conducted a Google search for “GDPR cheat sheet.” It returned 371,000 results. In other words, there’s a lot of help out there for those of us who still need help.
TechRepublic published their GDPR cheat sheet on May 24th at 2:54 AM PST. Whew. Just in time. It’s in plain English, so you might find it helpful. If you prefer to hear about it rather than reading about it, there’s also a 16-minute Q&A video included on that site.
GDPR in a Nutshell
GDPR contains provisions and requirements pertaining to the processing of “personally identifiable information” of individuals (formally called data subjects in the GDPR) inside the EU, and applies to all enterprises, regardless of location, that is doing business with the European Economic Area. Personal data must be stored using pseudonymization or full anonymization, and use the highest-possible privacy settings by default so that the data is not available publicly without explicit, informed consent. The data subject has the right to revoke this consent at any time.
A processor of personal data must clearly disclose any data collection, declare the lawful basis and purpose for such data processing, how long data is being retained, and if it is being shared with any third-parties inside or outside of the EU.
Businesses must report data breaches within 72 hours if they have an adverse effect on user privacy.
Start with IF
Does your company need to comply with GDPR?
The most obvious reasons that you may need to comply would be if your company – or branches or subsidiaries of your company – reside in or do business in the EU or with companies in the EU.
But what about companies that don’t fall into the above categories?
You may have ignored all of the noise around GDPR because you assumed that as a U.S. company, the regulation does not apply to you. After all, the United States is not a member of the EU. Sorry, but that assumption is misguided. In a digital, globalized world, there are several reasons why GDPR may still apply to your company. But instead of trying to decipher all of the verbiage related to the question of who needs to comply, we can make this really simple for you, because the bottom line is this: Any business with an internet presence is potentially subject to this law. Furthermore, there are no exemptions for size or scope.
Moving on to HOW
There’s no quick answer to the “how” question because the rules and regulations are numerous. But if you abide by the 4 rules underlined in the Nutshell above, you’ll cover much of what is required.
Personal data must be stored using pseudonymization or full anonymization.
You must have explicit, informed consent to collect or store personal data.
You must disclose any data collection. For example, if your Web site collects the personal data of visitors, those visitors need to be notified of that fact.
You must report data breaches within 72 hours.
GDPR Help Desk
Strategic Systems Group (SSG) is NOT an official help desk for GDPR assistance. However, as a company that implements ERP software systems for manufacturers and distributors, we have researched the topic extensively to determine how it applies to our own business as well as to many of our manufacturing clients who either reside in the EU or have branches, subsidiaries, affiliates, partners, or vendors in the EU. Let us know if we can help.
If you want to hack it on your own, here’s the link to the official GDPR site.
For more information, call us at 310.539.4645 or email us at firstname.lastname@example.org. We look forward to speaking with you soon.
Manufacturers: Are You Paying ‘Serious Attention’ to Cybersecurity?