This uncertainty was evident throughout the recent ‘GDPR for Dummies Roadshow' which saw us tour across nine major European cities offering practical advice-driven workshops. With so much information out there, the roadshows aimed to provide some clarity – the do's and don'ts of getting to grips with GDPR, if you like.
Don't misinterpret your responsibilities
So long as you understand your core data processes and their relation to personal data, you should be well equipped to evaluate and mitigate your key risks without such an extensive project.
Do check border-specific regulation variations
Individual countries can be flexible in how they implement certain areas of the legislation. The age at which someone can submit data without parental consent, for example, can vary across borders, so it's worth looking out for country specific points of difference and how you may need to alter your personal data management approach accordingly.
Don't think it's just for the EU
Though GDPR is a European regulation, it has wider implications. If your company is based outside the EU but engages in business transactions with an individual based in Europe, then GDPR still applies. Similarly, businesses headquartered outside the EU but with European operations must also comply. GDPR is about personal data and the locality of the person when their data is collected determines the applicability of the regulation.
Do value employee data
A common misconception is that GDPR only matters for B2C organisations handling customer data. GDPR is much broader than this and applies to the personal data of anyone in the EU, including employees. In fact, some of the largest GDPR remediation projects currently involve multinational B2B organisations. Providing employees with a privacy notice outlining the ways in which their personal data is used and the basis for doing so is needed to ensure adequate transparency.
Don't count on a grace period
GDPR was introduced over two years ago, so any ‘grace period' has been and gone. The deadline of 25th May is real, and it's worth ensuring at the very least that your key personnel are well versed in their roles and responsibilities and that your ‘low hanging fruit' high risk remediation activities have been addressed – even if some of the larger scale transformation projects are far from completion.
Do know your processors from your controllers
The ‘GDPR for Dummies Roadshow' provided an open forum for discussion that promoted a practical, risk-based approach. Be pragmatic, identify your key risks, and mitigate where you can before the deadline. Though some changes may take time, demonstrating a clear and actionable plan is in place will demonstrate you are on the right track to compliance and safeguard your business from any unexpected fines.
For more advice on GDPR, download the official ‘GDPR for Dummies' guide here.
Contributed by Shane Fuller , lead privacy advisor, MetaCompliance and co-author of the official 'GDPR for Dummies' guide.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.