GDPR is in effect, though there is a honeymoon period where the EU won’t go after data users that aren’t compliant. This grace period is supposed to be used by data users to reach compliance, but as we’ve reported previously, most companies aren’t near compliance nor will they reach compliance before the honeymoon period expires. GDPR’s punishments, called sanctions, are extremely steep and even the lowest level sanction is a series of audits at the negligent companies expense. There is an air of wariness as companies wait to see if GDPR will actually be enforced against companies outside of the EU, and there is the expectation by many that they’ll be able to escape punishment or prosecution for not complying. GDPR has been hailed as a “data regulation for the people” because it aims to reduce the power companies and interest groups have over what is supposed to be private information. If GDPR is ruthlessly enforced then it will set a the tone for future conversation over private control of private data, but weakness in enforcement will send the message that companies aren’t beholden to regulations. The first international or extranational corporation that is the target of GDPR will determine whether or not the regulation will continue to exist or be brushed aside.
GDPR compliance is an important thing to keep in mind moving forward, and it affects both new and old companies though new data users may have an easier time accommodating GDPR. Any organization should determine whether or not they are required to be compliance with GDPR regulations; companies that have users from the European Union aren’t necessarily required to comply with GDPR because it depends on how the user’s data is applied. If your website displays ads that are related to the content found on your website (such as ads for fishing rods on a fishing supply company’s website) then you’re not required to be compliant with GDPR; however, if the ads found on your website (such as fishing rods from a locally sourced supplier that you found out because your website geolocated your German user) are targeted to specific users then you will have to comply with GDPR.
Source: Who Does GDPR Affect?
Now that GDPR has rolled out you may be wondering how to reach compliance, and we’ve got the guide for to help. First, you’ll need to determine if your data falls under GDPR and if does you’ll have to determine if your organization is a data processor or data controller. Both of these types of data user have to comply with GDPR, so you’ll want to focus on your internal cyber security and data-handling policies. Your organization will have to start collecting and documenting user’s permission to use their data as well as other permissions and forms required to reach compliance. Your organization should update their Terms of Service (ToS) and check its cookie and tracker privileges; if you don’t know what cookies and trackers your organization uses, then you’ll need to find a tool to show you so you can create the proper documentation.
Source: Six Ways to Prepare for GDPR
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.