The General Data Protection Regulation is coming - are you prepared?

Effective May 25th of this year, the European Union's General Data Protection Regulation is entering into force as drafted. Compliance is expected on day one: the "preparation time" is now, and has been the time since the regulations were proposed for implementation.

Hopefully you're ready. The regulations, which are fully effective in the United Kingdom brexit notwithstanding, comprehensively apply to anyone doing business with any person in the European Union or the United Kingdom. You don't have to be based in the EU, organized in the EU, or even necessarily sell any products into the EU - you only need to be transacting business with such a person. Those in businesses like e-commerce, digital services, or other internet-based businesses will quickly realize that this means that the GDPR applies to pretty much all of us.

If you haven't started yet, the time is now. And you have a lot to do. Beefing up your website terms and conditions to represent, clearly and plainly, all of the data that you receive or acquire from users, how you use it, and how other people use it is just the beginning. All levels of your organization, from human resources down to sales and marketing, need to be involved. The strategic partners who provide your CRM, your outreach and marketing teams, your sales teams, everyone who engages with a customer and is a possible touch-point for customer information as basic as a name or an address needs to be included.

The process itself is subject to inspection and audit under the GDPR. The effort that you put into compliance counts. Preparation itself is important, but your preparedness, and the process, training, and internal compliance regime that you establish are themselves part and parcel of the GDPR.

The main thrust of the GDPR is that each person is the owner and custodian of their own data. Each person, having the intelligence and attention span of an approximately average person, therefore deserves to have the actual and potential uses of their data, explained thoroughly. It's an informed consent law for personal data. The high strictures once reserved for health information and credit card data now extends to every meaningful data point about the human person.

Breach preparedness is now more serious than ever before. Regardless of the size or relative seriousness of a data breach, your entire portfolio of personal data must now be alerted within seventy-two hours - rain or shine, Christmas or Arbor Day - of the breach.

The fines for noncompliance aren't small. 20 million Euros or 4% of the revenues of your firm - whichever yields the greater fine - is on the table. That is to say, the applicable authorities have a more or less plenary power to crush a small business that is noncompliant.

Add to this the increasingly dizzying patchwork of local rules and regulations - the GDPR grants broad authority to member states to tighten the regulations up and establish local inspection processes - and you are looking at a true compliance headache.

Fortunately, both American and European attorneys have already been hard at work streamlining the process. Ray-at-Law included. Contact me today if you're seeking guidance, on any side of the ocean, in GDPR compliance.