GDPR requires organizations that collect or process any personally-identifiable information about EU residents to
- know what data they have,
- protect it,
- dispose of it when it’s no longer needed,
- use and store it only with specific permission, and
- be able to delete it or transfer it at the request of the data subject (“right to be forgotten”).
Fines for non-compliance are substantial: up to 4% of annual top-line revenue.
What Requires Compliance?
Obvious activities that may require compliance include processing employment data of EU citizens or regularly selling goods or services into the EU. Here are some less obvious scenarios that might trigger unexpected GDPR compliance requirements:
- You post job opportunities on job boards with EU domains and receive applications from EU citizens
- You run email or web-based marketing campaigns targeted to EU citizens – especially if you monitor whether the recipients opened the emails, or your website tracks IP addresses
- Your company website is localized to EU countries and languages, inviting inquiries about your offerings
- You use your company’s IT resources to run analysis on data provided by your client that happens to include personally-identifiable information on EU citizens
KNOW YOUR DATA
It’s essential for GDPR compliance to know what data resides on your organization’s IT system – including defunct email accounts, outdated SharePoint sites, current and decommissioned employee laptops, and ten-year-old accounting system data. You must be able to find and delete (or depersonalize) all instances of a person’s data at their request, across all your systems and repositories.
What tools do you have in place for search and discovery? Could you find all instances of a person’s name across your organization’s IT system?
Contact Tagence to arrange for a discovery conversation, learn about technologies that can support your GDPR compliance efforts, or simply ask a question.