5 Steps to Prepare for the EU’s Upcoming General Data Protection Regulation

The European Union’s (EU) General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, and gives EU citizens more control over their personal data. However, U.S. businesses must also comply with the rule if they control or process any EU citizen’s data. Businesses that don’t comply with the GDPR could face substantial fines, sanctions and other penalties.

The GDPR includes a broad definition of personal data, and any information that can directly or indirectly identify an individual can fall under the rule’s jurisdiction. Because of this, any business that controls, uses or manages personal data needs to be prepared to comply with the new rule. Here are some steps your business can take to review its data management procedures and get ready for the GDPR:

  1. Conduct a comprehensive data audit. Determine what data you collect from your customers, vendors or partners and where it’s stored. This information should help guide your other preparations.
  2. Make your employees aware of the GDPR. Employers need to increase the privacy awareness of their employees to ensure they can recognize potential privacy exposures and respond to data requests.
  3. Define your organization’s data processing activities. The GDPR requires organizations to have at least one of six “lawful bases” in order to process personal data, and explicit consent is one of them. In order to comply with the GDPR, you should understand what kind of data your organization collects, determine the lawful basis that is most appropriate based on how you use that data and document it.
  4. Establish comprehensive data breach procedures. If a data breach occurs, your business must be ready to detect, report and investigate the cause of any lost data. The GDPR requires businesses to report a data breach to a relevant data protection supervisory agency—and, in certain cases, EU citizens—within 72 hours.
  5. Consider appointing a data protection officer. This individual can be responsible for managing personal data and navigating new GDPR requirements.
Skip to content