The European Union’s GDPR took effect on May 25, 2018. Any organization that processes EU residents’ personal data is affected by the regulation, irrespective of the location of the processing operation.
Here are the steps your organization can take now to be GDPR-compliant:
- Create a data privacy group that includes employees across regions, as the GDPR also affects businesses based outside of the EU. This team should undertake a data processing audit and conduct a privacy impact assessment of existing processing activities and new implementations.
- Enter into a data processing agreement that has a comprehensive description of the activities to be covered. At a minimum, this should include the purpose of the processing, the category of data subjects and the personal data processed.
- Implement and document appropriate organizational processes to respond to data subject requests, to promptly report a data breach within 72 hours and to offer appropriate privacy training to your employees.
- Educate employees throughout your organization about GDPR requirements and ensure that decision-makers understand the new regulation and its effects on your organization.
According to Dannie Combs, chief information security officer at Donnelley Financial Solutions (DFIN), “C-suites that make data privacy a priority will learn that it is not just a good business practice. It can also deliver a significant competitive advantage to organizations.”
Legal Disclaimer: This document is prepared to give you a general overview of how DFIN interprets the GDPR and is provided for informational purposes only. It is not intended to be or provide you with legal advice. Please consult your legal counsel for legal advice regarding the GDPR and how it applies to you.