Happy GDPR Day!
We’re less than 24 hours into the GDPR era and already Facebook and Google have been hit with lawsuits and many major U.S. news sites are down in Europe. Are we having fun yet?
Here’s a positive: now that it’s May 25th, 2018, we’ll no longer be subjected to, “GDPR is Coming” emails, articles and blog posts. Yep, at long last GDPR has finally arrived. So, now what?
Well, first of all, if you were hoping this day would pass and become much ado about nothing, I have bad news for you. This isn’t a non-event like Y2K. GDPR is real and data privacy issues are not going away anytime soon. GDPR and privacy issues are likely to dominate headlines for the foreseeable future.
Today has long been billed as the deadline for companies to become GDPR compliant, but very few companies are claiming 100 percent compliance. And, while there is a tendency to procrastinate on complicated projects like these, it’s ok for your compliance plan to still be a work in progress. Quite frankly, GDPR is a mess. Just last week, Professor Alison Cool of University of Colorado, Boulder wrote a New York Times opinion piece explaining that GDPR regulations are “staggeringly complex and practically incomprehensible” to the people trying to get in compliance. Some even doubt “absolute compliance is even possible.”
Yikes.
Where does that leave us? For starters, your realistic goal regarding compliance should be to accomplish as much as you can as fast as you can. Making a good faith effort will probably provide some cover from regulators who will likely begin by looking at the companies who thumbed their nose at GDPR. That doesn’t mean you should rely on the vagueness and uncertainty about GDPR to try to squeak by with a weak compliance strategy. In fact, we recommend the opposite approach.
Here are a few general best practices no matter where you are on our compliance journey:
- Form an internal task force. Gather the leaders from the teams that are most impacted by GDPR, and have them help scope out the project. Your task force should include senior level employees from marketing, IT, and of course legal.
- Consider naming or hiring a data protection officer whose main responsibilities include overseeing data privacy, ensuring compliance, and managing data protection risk for the organization. This executive should have expertise in data protection law, best practices, and a complete understanding of the company’s IT infrastructure, technology, and technical and organizational structure.
- Get your opt-in emails out to your customers as soon as possible. You may have noticed barrage of emails that have been hitting your inbox over the last few weeks. Those are from companies asking you to opt-in to your email communications. If you run regular communications campaigns via email, you want to send an opt-in email as well.
GDPR is a journey not a destination – but it’s not a journey you can avoid. It’s also not the final chapter of the data privacy story. In fact, we expect similar legislation from various countries (including the U.S.) to be coming sooner rather than later, so don’t put this off. Start taking steps to ensure GDPR compliance today. For more information, check out the data privacy section of the Sugar Community.
-Andrew
(Disclaimer: The content in this blog post is not to be considered legal advice and should be used for information purposes only).