In case you haven’t heard, the General Data Protection Regulation (GDPR) is the first significant change in data privacy requirements in over 20 years — and it will impact businesses all over the world. What’s more, enforcement begins on May 25th of 2018, meaning you could get smacked with a massive fine if your business is non-compliant.

The GDPR was established to help protect the personal data of internet users in the European Union. It was adopted in 2016, and has since been in a two-year transition period.

The GDPR, though established to protect data from internet users who live in the European Union, is enforceable all over the globe. The bottom line? If your business handles data from any EU residents, you must abide by GDPR. The regulation affects both controllers and processors — “controllers” being the organization that collects the data, and “processors” being anyone who stores data on behalf of a controller (like a cloud storage service).

Learn more about GDPR in the video below and read on for recommended steps to prepare your business.

Steps for Businesses to Get Ready for GDPR

As a business owner, you’re handling a lot at once — meaning you may not have the time or resources to become an expert on GDPR in the short time before it becomes enforceable. Though we’ve listed some basic steps you should follow to ensure your organization is compliant with the new regulation, it’s still a good idea to consult your lawyer to make sure all of your bases are covered before May 25th.

Determine if you’re housing data from EU residents, or if you are likely to be in the future.

The GDPR applies to organizations all over the world — not just those in the EU. However, if you aren’t working with sensitive data belonging to EU residents, you may not have to worry about GDPR.

But before you can determine if the GDPR applies to you, it’s helpful to understand which types of data the GDPR regulates. “Personal data” refers to anything that can be used to identify a person. This includes:

  • Names
  • Social media posts
  • Photos
  • Email and physical addresses
  • Phone numbers
  • Bank account information
  • Medical information
  • Computer IP addresses

Take a look at the data you’ve collected from clients or customers. Are any of these users living in the EU? If yes, you’ll need to update your terms and conditions according to GDPR standards. If not, you may be able to continue doing business as usual — but keep in mind that the fine for non-compliance is 20 million Euro or 4 percent of worldwide turnover, whichever is higher for your business. It may be better in the long-run to ensure your compliance now, in the event that you start handling EU user data later.

Update your terms and conditions.

It’s time to do away with lengthy legalese and convoluted privacy policies. One of the GDPR’s objectives is to make it far easier for people to understand exactly how their data will be used. For example, if you have an opt-in form that requires a user to enter their email and name, the GDPR would require you to include a statement that says what you’re going to do with this person’s information. This could be as simple as saying “we will only use this information to send you our monthly newsletter.”

However, in the event that you’re collecting sensitive data (like bank account information), the rules regarding language are a little more stringent. The GDPR distinguishes between two types of consent that users must give in different scenarios:

Explicit consent. When you’re asking consent to collect someone’s personal data, language must be intelligible and easily accessible. It must use “clear and plain language,” and it must be equally easy for users to withdraw consent or give it.

Unambiguous consent. With this type of consent, the person sharing their data knows exactly what you’ll be using it for.

The rule is that if you’re processing sensitive information, explicit consent is required. For all other data, unambiguous consent is enough.

Determine if you need to appoint a DPO.

A data protection officer (DPO) is someone whose job is to ensure your organization is compliant with data protection regulations. You aren’t required to have a DPO by default, but the GDPR does require you appoint one if:

  • You’re a public authority.
  • You engage in “large-scale systematic monitoring.”
  • You engage in “large-scale processing of sensitive personal data.”

If none of these sound like you, you don’t need to hire a DPO. For more information on the GDPR, check out the EU GDPR Information Portal.