GDPR compliance

One of the major tasks when it comes to managing and protecting data is complying with all regulations that affect your organization. The EU General Data Protection Regulation, or GDPR is a recent set of compliance standards that IT managers must meet, but there’s some confusion around who actually has to comply and its impact on current data storage practices. According to Spiceworks 2018 State of IT report, of companies surveyed, 57% either have not allocated budget for GDPR compliance or are unclear whether or not they even have a GDPR budget. So, here’s what you need to know in order to get your data center GDPR ready.

What is the GDPR?

The GDPR is a new piece of data protection legislation introduced in April 2016 by the European Union and will replace the current EU Data Protection Directive 95/46/EC. The law is set to take full effect May 25, 2018 bringing a slew of new rules that will apply. Key changes include:

Sensitive Data

IT organizations must prioritize safeguarding certain types of sensitive end user data. This includes preventing the release or careless misuse of data, which includes health records, religious affiliations, criminal convictions and more. Failing to do this can result in a hefty fine under GDPR.

Consent

The GDPR signifies the end of assumed consent when it comes to certain types of data collection. If a consumer decides to give their data, companies will now need to provide a clear and easy-to-understand breakdown of what the information will be used for. This also includes a ban on automatic subscriptions and auto-filled opt-in boxes for certain types of emails. *Note: Existing consents may need revisiting including website cookies and end user license agreements.*

Data Access & Erasure

Under the GDPR, consumers will now be able to request to see their stored data and may withdraw permission to use their data at any point. If requested, companies must completely delete provided information from all platforms and storage devices.

Notification of Breach

A small, but potentially expensive change being made under the GDPR is that all companies must notify authorities and the public of any data breach. If not done correctly within 72 hours of the breach, organizations may incur a fine.

Who has to comply with GDPR?

Many U.S. organizations are under the assumption that GDPR compliance won’t affect them since the law was put forth by the EU, however this may not be true. The GDPR covers any company operating in (or with) the EU. *Note: It is also likely that the U.K. will pass some form of compliance meant to mirror GDPR after leaving the EU* So in short, just because you don’t operate in the EU does not guarantee that GDPR compliance will not impact your organization.

Are You GDPR Ready?

This is just a brief overview of what the GDPR will mean for your data storage, protection, and security practices. For more information on GDPR compliance, check back in for part 2 of this blog series. We will discuss ways to get your company GDPR compliant, tips and checklists on policies to revisit, and best practices to avoid any penalties.




This blog post is not meant to serve as legal advice for your organization to use in complying with the EU GDPR. It is instead, background information meant to help you better understand GDPR compliance regulations. Any information provided in this blog post should not be taken as legal advice or consultation for GDPR compliance.