The General Data Protection Regulation (GDPR) is a robust piece of privacy legislation coming out of the European Union. You might think that being in Austin, Texas, or anywhere outside of the EU would protect you from the obligations, but you’d be wrong. If you collect data on anyone currently in, or a resident of, the EU, then you are subject to the law. The consequences for failing to comply can be huge - fines up to 4% of global revenue. That’s a huge hit. So what can you do about it?
2. Implement or Update Internal Privacy Policies
The GDPR isn’t just about providing user choices, you need to also be able to demonstrate compliance when a regulator requests a demonstration. The logic of this makes sense when you think about what will happen when the EU moves to enforce - they’ll ask you to prove you’re complying, and they don’t have time to comb through your systems to find proof. Having internal policies that are protective of user information will provide a data point that the regulators can rely on to see that you’ve made an effort to comply - there’s failure to comply and then there’s failure to comply for lack of effort. There’s a chance the regulators would be willing to work with you if they see the failure as innocent and with a good faith effort.
3. Provide Users with Choices About How Their Data is Used
As mentioned above, one of the goals of the GDPR is to provide consumer choice when interacting with companies. Being able to offer consumers options with regard to data collection, use, distribution, decommissioning, and review will be necessary for GDPR compliance, so the more privacy is baked into the development process, the better.
4. Update Your Vendor Contracts to Be Privacy Conscious
5. Build Your Systems to Demonstrate How You Protect Consumer Data
Gone are the days of simply seeking to protect your data, you need to be able to prove that you've done it. If a European regulator comes knocking on your door asking whether you're protecting consumer data, telling them you've done so is not enough. Instead, you'll need to show them how the processes work. When a user opts out of marketing materials, can you show that choice has been memorialized somewhere? Can you show that you work to ensure that those choices are honored? Those are the types of things you should orient yourself towards.
As you might have gathered, the GDPR (and other privacy laws) is no joke. When the GDPR was first announced, they provided companies with three years of runway to get their systems compliant before enforcing the laws. At this point in time, the EU expects compliance. You really should talk to an attorney to make sure you’re in compliance, but hopefully taking these steps will get you part of the way there!
Alex is a startup-tech nerd trapped in an attorney’s body. One of his favorite hobbies is hearing about other people’s new ideas and watching them succeed. He has a few ideas of his own, and, like many attorneys, enjoys talking about them. If you want to talk about your projects or hear about his attempts to automate the practice of law, reach out through the contact page.