May 25, 2018. If you haven’t yet marked the GDPR deadline on your IT calendar, here’s why you should.
The EU Global Data Protection Regulation (GDPR) is a new group of laws designed to standardize data privacy across Europe, including data that flows across national boundaries.
GDPR is already in effect and will be officially enforced on May 25, 2018. It will have a significant impact on any U.S.-based organization that processes personal data for services rendered or goods sold within the European Union, or any EU country that does the same across borders.
Personal data is defined by GDPR broadly as anything that can be used to directly or indirectly to identify an individual, including but not limited to.
- Email Addresses
- Social Security Numbers
- Bank Details
- Social Media Posts
- Medical Information
- IP Addresses
Will GDPR Impact My Organization Even If We Only Operate in the U.S.?
You might be thinking, “Our nonprofit isn’t large and doesn’t have any footprint outside of the state so this can’t possibly affect us.”
That seems logical, but if you have a website, you’d be wrong. It really depends on a number of factors, some of which are tricky to understand. Interestingly, nonprofits and associations that operate solely within the U.S. could possibly be impacted.
Here’s a scenario that you might not have considered.
What if someone in England is researching your association’s cause on the Internet, they visit your website and they fill out an online form providing data covered under GDPR.
Is your nonprofit now subject to all GDPR regulations? If you don’t know the answer to this question, you need to get up to speed fast.
The key here is to be aware that this transnational web transaction doesn’t have to be financial; it just has to be data processing to fall within the purview of GDPR.
If your organization has deliberately targeted an EU audience with intentional marketing (say, copy that targets an EU country audience), yes, GDPR applies.
If this EU individual found your website randomly, or even through a Google search, it would not.
The point is even if your organization is U.S. only, it’s very important you and your IT team are aware of GDPR and its nuances to mitigate risk in this area.
What If We Do Operate in the EU?
If your nonprofit or association markets itself to EU countries GDPR will impact your IT operation significantly and you need to start preparations immediately if you have not already done so.
By most accounts, if your association or nonprofit already meets current U.S. data privacy standards, compliance with GDPR should not be a cumbersome issue. That said, many associations and nonprofits might lag behind for-profit U.S. businesses in their data collection and security sophistication, or don’t have the IT resources in place to get up to speed quickly enough and maintain compliance.
If you fall into the latter category, partnering with a managed IT service provider that understands GDPR and how it interrelates to existing security measures can help reduce your organization’s risk profile.
If you already have a robust security infrastructure, there are a few GDPR requirements that can foil even the most prepared and equipped IT team:
72-Hour Breach Notification
Your incident response will need to be top-notch. If a data breach occurs, your organization will have to report the breach to an EU authority within a 72-hour window.
Need to Align IT with Sales and Marketing
The GDPR includes more stringent consent requirements for opt ins and data collection permissions. All data collection points on your website will need to be compliant, but even more importantly, your IT team and your marketing and sales teams need to be closely aligned to avoid violations.
What Steps Can You Take to Comply with GDPR?
The penalties for GDPR violations vary but can be up to 4% of a company’s global annual revenue. That’s a steep price to pay. Here’s a few steps you can take to mitigate GDPR risk:
- Audit your data and security framework
- Collaborate with your legal team or partner with external legal resources
- Appoint an internal GDPR officer
- Coordinate with third-party vendors to ensure they’re compliant as well
- Bring in additional IT experts to ensure continued compliance and security
Whether you’re a nonprofit or association with EU interests, or one that is solely U.S.-based, GDPR is a game changer when it comes to data privacy.
At a minimum, U.S. only IT, marketing and sales teams need to be educated on its parameters and risks; for those with EU data interests, GDPR preparation is critical to protecting your business and requires expert advice to navigate potential pitfalls.
The first step is educating yourself on GDPR. The second, more complex step is assessing your enterprise’s risk levels, creating a compliance plan and putting it into action. Many nonprofit and association IT departments are not equipped to handle massive regulatory shifts like this.
American Technology Services can help. Our experts can help you answer your GDPR questions, assess your risk, audit your data processes, develop compliance strategies, help implement them and build processes and SOPs to help your organization remain compliant.
GDPR is not something you have to confront on your own. The risks, both obvious and hidden, are serious enough to warrant investment in external IT assistance.