On May 25, 2018, one of the most wide-ranging pieces of Internet legislation will go into effect when the EU’s General Data Protection Regulation becomes law.

This broad data protection plan has high stakes for an overwhelming number of businesses around the globe. It is a powerful voice for the rights of people’s online identity and a realization of how valuable personal data is.

The GDPR gives the balance of power concerning personal data to the individual rather than companies collecting it, and extends that data to include things like SIM card IDs, website cookies and IP addresses. Individuals will have the right to challenge how companies build up profiles about them and will need to give consent before companies are able to get data and use it in certain ways.

Individuals also have the right to challenge a business’s right to store their data. If the business cannot show a real reason to hold on to the data, the individual can request that it is deleted. Businesses failing to notify authorities of a breach can be fined up to €10 million ($12.3 million) or 2 percent of the company’s profit. Intentional or negligent violations can see a fine up to €20 million ($24.6 million) or 4 percent of the company’s profit.

What Kind of Businesses are Affected by the GDPR?

  • Any company that falls under the following criteria will need to be in compliance with the GDPR come May 25.
  • Companies that sell goods/services to EU citizens.
  • Companies that employ EU residents.
  • Companies that operate websites that use cookies or other means to monitor people and traffic from the EU.
  • Companies that collect any data about EU citizens.
  • Companies using cloud technology that uses apps, data centers or servers located in the EU.

This is a huge population of organizations. If your website captures visitors’ IP addresses and you have five a year from European countries, you qualify. If someone from Holland buys one item from your online store on January 1, you’re still liable to be GDPR for the other 364 days of the year.

Five Steps to keeping your Cloud in Compliance with GDPR

If your company uses cloud technology for anything that involves outside users, there’s a high probability that the GDPR will affect it. Here are five key tips to ensuring your company is in compliance.

  1. Know the physical location of your cloud app providers that are involved with data collection, analytics or storage. If any of these apps are being hosted in an EU country, you’re already qualified for GDPR compliance.
  2. Enact a new data agreement with your existing cloud apps concerning personal data. Make sure that every app you do business with is able and willing to change its agreement with you that it will adhere to all GDPR regulations. If these apps refuse to upgrade their terms of service with you, it’s time to find a new provider.
  3. Ensure that you and the apps you use are only collecting ‘necessary’ data. For instance, if you are only collecting IP addresses on your website to see where visitors are coming from, there’s no need to ask them to fill out a survey recording their names, addresses and personal identification numbers.
  4. Ensure that your apps are only collecting data for a specific purpose and not using it for anything else. How many times have you filled out a form on a website and started getting four new spam emails every day on related products? That will be illegal under the new GDPR law unless each app specifically says so in its data processing agreement and the individual agrees to it. Otherwise, sharing or selling data belonging to EU citizens to third parties is out the window.
  5. Make sure data used in an app can be erased as soon as your contract with that app ends. No app should be hanging on to your data ‘just because’ once your contract ends. Similarly, you shouldn’t have data laying around that’s not being used, because the risk of it being hacked grows every day that it’s just sitting on your server. Hacks, breaches and plain old accidental exposures happen every day. Limit the amount of data to only what you absolutely need to make your business work.

The adoption of the GDPR standards is likely to be a painful one for many companies. Multiple surveys taken over the past year have proven that a majority of firms are not ready for the change and don’t have the proper tools in place to get there. While the powers that be might give some leeway as companies make the transition, getting there first can have a major impact on the future strength of your company.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access