Getting Ready For GDPR Compliance

Beginning May 25 of this year, companies that handle data of citizens of the European Union will need to start to comply with The General Data Protection Regulation, better know as GDPR.  These norms protecting personally identifiable information (PII) will be stricter than similar US protections.  They’ll cover items like IP addresses, health information and political leanings alongside phone numbers, addresses and credit info.  Companies will also need to be able to eras PII upon request, conforming to the EU’s now-established ‘right to be forgotten.’

GDPR requires that companies provide ‘reasonable’ levels of data protection for EU citizens.  It has yet to be seen how ‘reasonable’ will be interpreted.  GDPR will also require companies to report data breaches within 72 hours to regulators and affected individuals–a demanding timeline.




Which companies need to comply?

Effectively, any company that handles the data of EU residents.  There are some limitations to responsibility if you have fewer than 250 employees, but most smaller companies will still need to comply.



What are the penalties for non-compliance?

The penalties can be steep, into the millions of dollars.  This is one of the reasons GDPR compliance has gained so much attention.  It is unclear at this point how regulators will in fact handle enforcement.  Is actual damage to consumers required for a penalty enforcement?

Any company that is handling the data of EU citizens ought to begin immediately to look at current compliance-readiness and consider effective remediation steps.