It's been a little more than two months since the enforcement of the European Union's new General Data Protection Regulation (GDPR) began. This regulation was passed in 2016, requiring all businesses and organizations transacting business within the European Union (EU) to be in compliance by May 25, 2018. So, for the past two years, businesses have been preparing for this day. Yet, many are still asking a lot of questions: How will it impact them, if at all? What should they do to comply? What will happen if they do nothing?
The short answer is—if you haven’t heard it yet—any business or organization transacting business in the EU must be compliant or risk the steep fines. The question is, "Are you ready, and if not, what remains to be done?"
State of ReadinessThis particular regulation addresses the protection of personally identifiable information (PII), along with the rights of individuals to request a copy of the information you hold about them and the right to request for their personal information to be deleted from your systems or from any system/party with whom you may have shared it. This means that as a business, you must identify every place this information resides, who you may have passed it on to, and have a process in place to present and erase all data, if requested to do so. Once again, we see the intersection of process, content, and people in order to manage it all, underlined by the need for governance.
- If you were faced with such a request today, could you comply?
- How would you find all of the information?
- What steps would you take to identify, present, and erase this data from your information ecosystem?
- Do you have someone designated as the responsible party to manage such requests, develop the processes and governance needed, and to ensure you are compliant?
In My ViewThere are many businesses outside of the EU willing to take the risk that they will not be called upon for this type of action, but is this a theory you really want to test? At a minimum, you should have a plan in place to take action, if needed. First, design a process that includes the collection and retrieval of requested information, methods to present it to the data subject, steps to erase this information from your systems, and measures to notify any party you’ve shared this information with to ensure appropriate actions are taken on their part.
Bob Larrivee is a recognized expert in the application of advanced technologies and process improvement to solve business problems and enhance business operations. Follow him on Twitter @BobLarrivee or visit boblarriveeconsulting.com.