If you or members of your ecosystem do any business at all in the EU, even if you have no physical presence there, you’re going to be hearing a lot about the GDPR (General Data Protection Regulation) this year. The GDPR, which we’ve covered previously, is an absolutely massive set of regulations overhauling how businesses handle their data – particularly sensitive data about individuals. The EU is serious about it as well, with penalties for non-compliance which can be ruinously steep – or result in a company being barred from EU commerce.
Many of the GDPR’s provisions are, frankly, common-sense security stuff that a business should already be doing. However, there are other provisions that could be seen as hidden traps, particularly for businesses not familiar with EU data-handling laws. These are the areas which could trip you up, if you’re not careful.
1. Know your data.
How well-categorized is your data? Do you have a lot of “dark” data, which you possess but have not actually delved into to see what you have? This could cause big problems under the GDPR. If a client demands you erase their data, that means all of it. Ignorance is not an excuse, and if some of their records are lost in “dark” databases, that could incur big penalties if the oversight is discovered.
We strongly suggest investing in a file discovery and analysis product. Besides – such tools won’t only help you with GDPR compliance, they can uncover genuinely valuable data to add to your analytics!
2. Insufficient opt-out options.
One of the most controversial areas of EU data regulation is the so-called “right to be forgotten,” which includes a whole host of rights to restrict or delete previously-existing data. However, this is not simply a matter of bulk-deleting everything relating to a customer. They have the power to be selective. For example, Article 22 of the GDPR states that people “have the right not to be subject to a decision based solely on automated processing, including profiling.”
So, a customer could theoretically opt-out of all automated messaging, but without opting out of your mailing list entirely. You’ll want to review any automated systems you and your partners use, to ensure they offer compliance with “right to be forgotten” regulations.
3. Poor contracts with service providers.
Here’s a scenario: You’re GDPR-compliant, but your cloud data storage company isn’t. Worse, they refuse to re-negotiate their contract – or even threaten legal action if you break the contract early. If a GDPR breach occurs, that’s on them, right?
Nope. It’s on you. You are responsible for the behaviors of your sub-contractors and other affiliated service providers, full stop. If they improperly handle data on one of your customers, you will be held responsible. Going forward, it will be absolutely vital to include GDPR compliance in any contract negotiations you have with data service providers.
This would also be an excellent time to think about becoming SOC-2 certified, which would put you -and your partners- much closer to GDPR compliance.
4. Assuming the UK isn’t part of these regulations.
With all the political drama surrounding “Brexit,” there’s a lot of uncertainty about how many EU laws and regulations will continue to apply to the UK in years to come. However, whether the UK stays or leaves the Eurozone, they approve of the regulations in the GDPR. Even if they don’t remain in the EU, they’ll almost certainly implement their own version in short order.
So, go ahead and work under the assumption that the UK will be part of these rules.
LogicBay Can Help You Manage Your Ecosystem Throughout GDPR Compliance Changes
If you’re unsure how to wrangle your partners to ensure both you and they have nothing to fear from the GDPR, LogicBay can help! Our proven systems bring you an easy-to-use single dashboard linking your company and your partners, while offering superior oversight, communications, and information-sharing ability.