The Steep Price of Data Collection is Skyrocketing, Unless You Get it Right
Do you have a privacy and data security policy? These days, you should. And if you’re doing business in Europe or with Europe, as of last Friday, you now need to know about the GDPR.
- Does your company receive or collect personal data from organizations or natural persons residing or operating in the European Economic Area (EAA)? Personal data may include names, dates of birth, email addresses, identification numbers (e.g., employee ID nos.), website cookies, IP addresses, geolocation data, purchase histories, services used or subscribed to, communications (e.g., website chats or social media posts, even if publicly visible), social media pictures, video or audio recordings, promotions used, survey responses, download records.
- Does your company store any personal data with any processors within the European Economic Area (EEA)? Data processors may include managed data centers, cloud storage servers (e.g., Amazon Web Services, Dropbox), payroll agencies, solicitors, accountants, third party email marketing companies
If you answered “yes” to either of the above questions, you may need to comply with the GDPR. Read on.
- Does your organization store any of the personal data described above in Question 1 in electronic or other readily accessible format for any natural persons, including current and former employees, current and prospective customers, and visitors to your organization’s website?
- Does your organization store any of the following types of particularly sensitive personal data in electronic or other readily accessible format?
racial/ethnic origin, political opinions, religious beliefs, union memberships, genetic information, biometric data, health/medical data, sexual orientation, sexual inclinations or proclivities, criminal charges, criminal offenses, criminal convictions
- Does your organization store any personal data that identifies or that can be used to identify (directly or indirectly) individuals under the age of 16?
- Does your organization use or do business with any vendors, contractors, or third parties such as those described in question 2 above?
- Does your organization have reliable, accurate records that it can use to demonstrate when and how all individuals whose personal data your organization stores gave their specific, affirmative, identifiable, and informed consents to the storage of their personal data?
- Does your organization have a designated responsible contact person and a process in place for documenting and responding to a Data Subject Access Request within 30 days’ receipt of the request?
If you’re subject to GDPR, your answers to questions 3 – 9 may help determine your compliance or your liability for non-compliance with this new law. And if you’re not subject to it, these questions outline a new standard for keeping your customers’ and employees’ data safe, even in the U.S.
In most cases, we recommend that all our business clients strongly consider creating privacy, data protection and security policies, and include language in many of their customer and vendor contracts. These measures should help protect the business from liability for data breaches and now, for non-compliance with the GDPR.