The European Union’s (EU) General Data Protection Regulation (GDPR) has caused quite a stir in the EU, but its reach extends far beyond Europe. As brick and mortar locations in the US close due to COVID-19, many companies are moving online and going global. If your company is starting to do business overseas, you may be wondering: what is the GDPR, and are we GDPR compliant?
What is regulated by GDPR?
GDPR is concerned with the processing of:
- Personal data – any information that can be used to directly or indirectly identify an individual.
- Sensitive personal data – Personal data revealing race/ethnicity, political opinions, religious/philosophical beliefs, union membership, data concerning health or sex life.
In relation to GDPR, processing refers to any operation or set of operations performed upon personal data. This includes the alteration, collection, combination, consultation, destruction, disclosure by transmission, distribution, organization, recording, restriction, retrieval, storage, structuring, and use of all data that could be considered personal or sensitive personal data belonging to a resident or citizen in the European Union. Yes, that’s a long list of operations so a good rule of thumb is if you’re collecting data in any way from a resident or citizen in the EU, it’s essential to develop a GDPR compliance program for your organization.
Who does GDPR apply to?
GDPR applies to controllers and processors of the data mentioned above. “Controllers” are the entities that determine the purposes, conditions, and means of processing data, for example, a hospital. The “processors” are the entities that process the data on behalf of the controller, for example, a technology provider that hosts software on behalf of the hospital.
What do I have to do to be GDPR compliant?
The three most important things you can do to get your GDPR program started are:
- Inventory all of your processing activities – This includes identifying all of your organization’s processing activities, the purpose for which data is being processed, and the legal basis for processing.
- Obtain consent from data subjects where required – This typically includes data collected from your website, advertising technology, or contact lists.
- Update your privacy notices on your website and in any other contracts you have with parties whose data you collect.
The best way to remain GDPR compliant is to remain vigilant in your privacy and security practices. Gazelle Consulting offers affordable GDPR consulting solutions customized for your specific compliance needs. We’re here to help you with that process and answer any questions or address any concerns.
Send us a message today or call 503-389-5666 to discuss how GDPR affects you and ensure you have the right protections in place to stay compliant with the regulations.