I get mixed messages about the hurry up for GDPR compliance from tech groups. But I’d rather not be subject to fines on the websites that I own or build after the deadline passes on May 25th.
GDPR refers to the General Data Protection Regulation (GDPR) (EU) 2016/679. It is an EU law on data protection and privacy for all individuals with the European Union. If you do any business or sell products to individuals in the EU, you need to make updates to your privacy notice and website functions. I’ve posted links to articles that may be helpful below.
My fear was that the day after the deadline passed, attorneys would begin trolling the internet for businesses in violation. So I asked an attorney about this. The beef for non-compliance will come from regulatory groups (the government) and it’s the mega data collectors who will be most closely watched — at first.
To be safe, it’s important to begin the compliance process. Like me, you’ve probably been flooded with notices from companies you do business with explaining the changes. Pay attention. Keep a record.
One of the most challenging requirements is keeping data for 10 years — yes, that’s part of the new law. Most of us are in the habit of keeping a trail of our business sales for that many years to satisfy the U.S. Internal Revenue Service. Check that any providers you work with can provide you with legacy data for 10 years. If not, you’ll need to set up a system for exporting and reporting.
For example, if you process all your sales through PayPal, you may already be compliant. But check with each vendor you use that collects data from users and customers and note the time limit on data storage.
Knowing your user and customer data path will be essential going forward. It’s not enough to slap up a privacy notice. You need to know where each piece of data you collect lives and/or moves because at any time you may receive a request to remove that data — within 24 hours. Whoa!
Here’s what you need to know about your data:
- Where is it stored?
- How is it managed?
- How is it protected?
- How is it monitored?
- What is the reporting procedure to prove compliance with 1-4?
For more information, read the following articles. These links take you off this website.
Information Commissioner’s Office (ICO) in the UK guidelines
The best news is that all this regulation is creating jobs. Yay! Meet the new Data Protection Officer.