A Quick Summary of GDPR Compliance Requirements
There’s been a lot of chatter surrounding the European Union’s new GDPR law. If you’ve been left wondering what this new law means and if it even applies to your business, we’re here to help shed light on the subject. While technically the GDPR went into effect at the end of May 2018, an estimated 50% of affected US companies weren’t fully compliant by the start date, so there’s still work to be done.
What is GDPR & Who Does It Apply To?
Lawfulness of Processing
This part of the regulation states that in order to process, or handle, anyone’s data, you must have a legal basis to do so. What constitutes as legal basis is broad and can even vary between EU member states, but the biggest qualifiers are: informed consent, performance of contract, and legitimate interest. Let’s break those down.
Performance of contract is when your business needs to process a consumer’s data in order to fulfill a contract with them. This only extends as far as your business transaction though, so don’t try to market to these customers in the middle of fulfilling goods or services. The legitimate interests qualifier is a tricky one. The law says that you have a right to use data to fulfill legitimate business interests, as long as you balance the data privacy rights of your customers while you do so. This will be subject to objections and will be an area where precedent will likely become important as these guidelines start to be tested.
In addition to those main three, other legal bases include: vital interest (life or death situations), necessity to comply with legal obligations, and public interest.
Right to Access
Right to Erasure
Right to Data Portability
Right to Rectification
Should your company fall victim to a data breach, the GDPR states that companies may need to notify a relevant supervisory authority (like the EU member state’s Data Protection Authority) and customers of any risk within 72 hours of the breach.
The GDPR is an immense piece of legislation and all the ramifications and nuances of it are still being worked through, so it’s still too early to tell how aggressively the law will be enforced and which areas will be the biggest sticking points. Due to the size and uncertainty, we recommend teaming up with legal counsel to perform a thorough audit of your current business practices surrounding consumer data. Take stock of what types of data you collect and how it is gathered and subsequently stored. Could you delete a customer from all systems if needed? How transparent are you about how the data is used? Perhaps even make a document outlining all your current data procedures.
Once you’ve accessed areas in your data policies that need to be addressed, you can start writing new policies and enhancing your technology infrastructure to ensure that all GDPR requirements can be met.
Here at Aptera, we’re studied up and ready to help you implement technical changes to bring your data strategy into compliance including: identifying the scope of compliance across your various systems and programs, deploying transparent data encryption, implementing user cookie and data collection consent interfaces, architecting for the right to be forgotten, and more.
Be the Leader Who Pushes Software Initiatives Forward
Get an Aptera Team on Your Side