Everyone in the software world who hasn’t been living under a rock is (or should be) gearing up for May 25, 2018. That’s when the new EU General Data Protection Regulation (GDPR) reshapes how organizations around the world approach data privacy with citizens in European Union countries.
The penalties for non-compliance are severe, as much as EUR 20 million or four percent of total annual revenue, whichever is greater. It’s expected that the EU will make examples of a few high-profile companies soon after the regulation goes into effect.
If you haven’t yet started preparing for these changes, here’s what you need to know and do... starting now.
Identify Your Hidden Risks
The intent of the GDPR is to protect EU citizens from privacy and data breaches, and regulate how their data is shared with companies located inside and outside the EU. Which means you may still be at risk even if you don’t have offices or a presence in an EU country.
The degree to which this protection will be enforced for companies without a significant presence in the EU remains to be seen, but you can assume you are at risk if you have any Personally Identifiable Information (PII) for EU citizens. PII is very broadly defined and includes the names and business email addresses of suppliers, sales reps, contractors, customers, or anyone else for that matter.
Another important factor in determining your risk is whether you are a Controller or a Processor. A Controller determines why and how the data is collected and processed, and establishes a legal basis for data collection and use. Seems straightforward enough, but here’s the twist.
Controllers are also responsible for ensuring that the systems and processes of all of their service and system providers (Processors) are sufficient to comply with the GDPR obligations. Thus, you can be held legally liable if any one of your sales and/or marketing system or service providers fails to comply with GDPR.
We suggest reviewing this summary of key changes to identify other potential risk factors, and taking the necessary steps to address them.
Take Corrective Action Now
Have you completed an assessment and begun executing your compliance plan? If not, it’s critical that you start now. Here are some initial steps you can take:
Determine whether you are you a Controller or a Processor to understand your responsibilities. We already described the responsibilities of a Controller, which are considerable. Processors aren’t off the hook either, because some of their requirements overlap with the Controller's. They also have specific obligations to the Controller.
Conduct a comprehensive assessment that identifies what personal data you are collecting and how you are using it. Then assess how your systems and processes stack up against the GDPR requirements, and identify what changes are needed to comply.
Contact your sales and marketing tool and service providers to determine whether their information security policies, procedures, and systems meet your GDPR obligations. If not, you need to seriously consider whether you can afford the risk of continuing to work with them.
Develop and execute a plan to fill any compliance gaps well in advance of the May 25th effective date. You’ll need adequate time to test your changes and ensure that your Processors are ready as well.
GDPR is serious business for anyone in software or marketing. Even if you don’t have a significant presence in the EU, it’s important to understand your exposure, directly and indirectly, and protect your data and your brand.
Your system and tool providers can increase your risk exposure if they aren’t in compliance with the stringent requirements of GDPR. Be sure your vendor partners are committed to providing information security systems and practices that are strong enough to comply with GDPR.
ROI Selling takes information security seriously and it is our highest priority. Please visit our Information Security page for additional information.References
- AdExchanger: A Marketer's Guide To GDPR
- HubSpot: Are you GDPR ready?
- Covington: GDPR Contracts and Liabilities Between Controllers and Processors
Disclosure: The information contained in this article is in no way intended to constitute legal advice. It is a practical overview of the research and experience ROI Selling has gained while working to comply with the upcoming GDPR changes. Please seek professional legal counsel to understand the requirements of GDPR and how they apply to your specific situation.