As we assist clients with preparing for GDPR compliance before and after this Friday’s effective date, I thought to share some quick thoughts on the law and what we are seeing here at Taft.

  1. “GDPR Compliant.” Be wary of companies making such claims and don’t make such claims, yourselves.  As with HIPAA, there is no such thing as a stamp of “compliance” approval.  And, like bragging about your information security, warranting that you are “compliant” is just asking for that claim to be challenged.  “Compliance” will be a moving target with a law that has yet to go into effect.  Work toward meeting the requirements, but don’t ever think you have achieved all of them (or that your vendors or subcontractors have).
  2. See this as an opportunity.  Don’t ignore the law’s requirements and its applicability to your business, no matter how small.  Get informed and make good risk-based decisions on how to implement, if at all. I am advising many clients to see GDPR as an opportunity to get their global data governance act together.  Here in the States, I often like to say, “if you can make California happy with your information privacy practices, you can likely make any other state happy too.”  Well, if you can satisfy the EU’s requirements, chances are you can meet any country (or company’s) requirements. So, don’t look at this as just a compliance requirement.  It is an opportunity to upgrade your business plan.  The reality is good information privacy and security practices  will be the cost of admission to competition for business.
  3. It’s all about the (personal) data.  Before you take the plunge into GDPR compliance, make sure you actually process “personal data” for “data subjects”  that are “in the Union.”  Be it for employees or customers, do you process the personal data of individuals that are in the EU when you process such data?  Maybe you don’t collect “personal data” or maybe those individuals are not “in the Union.”  It is not about citizenship or residency.  Is the data subject in the Union or do you process personal data?  If not, you may not have to comply.
  4. You are not alone.  Loads of companies are struggling to figure out if GDPR applies and what, if any, things they need to implement to meet the law’s requirements.  And yes, even companies in the EU are struggling.  Keep calm and carry on.  It is a marathon and not a sprint.
  5. Just get started. You may not be “compliant” on May 25, 2018–or even May of 2019 for that matter.  What is important is that you have a plan and start to execute it – just like with data here in the U.S.  Do you at least have a plan and a story to tell when something bad happens?

That’s it.  Short and sweet.  Now, back to the fun.