How to Get Ready for GDPR

(Image: EtiAmmos/Shutterstock)

(Image: EtiAmmos/Shutterstock)

Organizations around the world are getting ready for a new regulation that governs how they must handle data about European consumers, the General Data Protection Regulation or GDPR. Why are non-European companies preparing for this regulation? US-based consumers don't enjoy such protections. Indeed, US regulations appear to be going in the opposite direction if you consider the move in March to rollback broadband privacy regulations, enabling service providers to use consumer internet history to target advertising.

But you don't have to be a European company to deal with European customers. Any organization that stores or touches data coming from Europe will need to comply with this new regulation or pay stiff penalties -- up to 4% of annual revenue.

Experts note that "any US company with European customers in its database must fully comply for face big fines." A survey commissioned by Compuware found that 52% of large US companies store information that fits that profile. So chances are GDPR will affect you, even if you are in the US and work for a US-based company.

A couple of the basic elements of GDPR consumer protections include the following:

  • The right to be forgotten. As a consumer in Europe, you are empowered to require a company to delete every bit of data they have about you.
  • Data portability. If you are moving from one service provider to another, your provider must give you your data in a format that lets you transfer it from one service provider to another.

The good news is that enforcement on these new regulations go into effect in May 2018, so there is still time to prepare. But you'd better get started now, because you have a big job ahead of you.

That's just what ADP, best known as a payroll and human resources service provider serving companies around the world, is helping its corporate customers to do.

"Clients have been asking questions since GDPR was enacted a year ago," Cecile Georges, Chief Privacy Officer at ADP, told me in an interview. "Clients want to know what they have to do to comply."

While ADP doesn't provide legal advice, Georges did offer some ideas about where organizations should start with their GDPR compliance efforts.

The first step, she said, is to understand the regulation itself. Georges points out that GDPR is made up of 99 articles, so any efforts to comply will include gaining an understanding of how those articles apply to your individual business.

How do you do that? George's next recommended step is to perform a Gap analysis that inventories your organization's data processes now versus where they need to be to comply with the new rules. In this stage companies will need to answer questions such as who accesses the data? Where is it stored? Do you own the data?

"What companies do to comply will depend on the results of their individual Gap analysis, so the answer won't be the same for everyone," Georges said.

"If you collect and process data originating from Europe, even if you don't have a company or legal entity over there, you are required to comply with GDPR," George's said.

Companies with both European customers and non-European customers will need to decide if they want to create multiple compliance efforts -- a complicated undertaking. Do you have a separate program for your data and customers that touch Europe?  Do you go to the effort, expense, and cope with the complexity of running two or more parallel compliance programs? Or should you instead create single program that endeavors to comply with the regulations of the strictest jurisdiction where the company does business. That's not an easy question to answer, George's noted. She sees some companies looking to create a hybrid approach.

How companies actually proceed remains to be seen. What about your company? How are you handing GDPR? Are you implementing multiple compliance programs within your company? Or are you following a GDPR-like compliance effort. Let us know in the comments.

Jessica Davis, Senior Editor, Enterprise Apps, Informationweek

Jessica Davis has spent a career covering the intersection of business and technology at titles including IDG's Infoworld, Ziff Davis Enterprise's eWeek and Channel Insider, and Penton Technology's MSPmentor. She's passionate about the practical use of business intelligence, predictive analytics, and big data for smarter business and a better world. In her spare time she enjoys playing Minecraft and other video games with her sons. She's also a student and performer of improvisational comedy. Follow her on Twitter: @jessicadavis.

Retailers Focus on Omnichannel and IoT Data for Analytics

After the rush of holiday shopping season, retailers are regrouping, planning, and getting new inspiration at the National Retail Federation (NRF) Big Show in New York. Here's what's in store for those who are going and those who are learning from afar.

How to Prepare for GDPR's Data Privacy Changes

Companies are headed into the final stretch to get ready for GDPR compliance before the May 2018 deadline. Whether your compliance plan is already in the works or if you are just getting started, here's some advice about setting priorities.

Re: Is this impacted by Brexit?
  • 7/4/2017 9:46:49 AM

With the heavy penalties companies may incur it will be worth watching to see how everyone will scramble to comply with the new regulations. Even with almost a year to go before enforcement begins it will not be easy I'm guessing or folks to get their programs into compliance that quickly especially should they delay in planning for the changes.

Re: Is this impacted by Brexit?
  • 7/2/2017 10:28:20 PM


Bryan writes "In short, I think that the speed of the news cycle, the usage of social media to affect fast social change, and the growing western emphasis on nationalism may take some of the teeth out of the program."

More than that. If the Trump regime can be considered a model of the behavior of an extremist-right government, applied to the European scenario, it is possible that GDPR and a swath of other EU rules and regulations could at some point be rescinded entirely.






Re: Is this impacted by Brexit?
  • 6/27/2017 6:53:11 PM

@bkbeverly, projecting the landscape is fine to do but policy and procedures have to be based on how things stand today. Even brexit is not on firm footing. This turn towards nationalism or even regionalism may experience a quick turnabout once some negative effects are felt. At the end, this is a world economy and business will have to navigate accordingly.

Is this impacted by Brexit?
  • 6/27/2017 2:50:27 PM

Perhaps this question is answered, but I wonder how this concept would be impacted by countries leaving the EU? It looks like this program was four years in development, but the political landscape has changed since then.

I am also thinking about the US Dodd-Frank act. While that was birthed with concensus as the country aimed to not recreate the conditions that ignited the economic meltdown, I think we can safely say that it will be weakened as time goes by.

In short, I think that the speed of the news cycle, the usage of social media to affect fast social change, and the growing western emphasis on nationalism may take some of the teeth out of the program.