Are you complying with all the GDPR regulations?
Since the EU’s legislation on GDPR came into effect on 25th May 2018, many companies have added controls and updated their policy statements and procedures in an attempt to be GDPR compliant.
Despite all best intentions, there may be some areas of the legislation where you have not covered, resulting in your company being accidentally non-compliant!
Check out our helpful guide about the 12 areas of GDPR and read on to discover things you really need to know about GDPR compliance.
1. Non-EU businesses and GDPR
If your business is based outside of the European Union, understandably, you might be thinking:
“Hey, GDPR is an EU regulation and we’re an American company: why would we need to be GDPR compliant!”
The scope of the EU’s GDPR regulation is not limited to the territory of the European Union, it also covers Data belonging to individuals in the EU, regardless of where that data might have been generated or is stored.
GDPR’s Article 3, covering territorial scope, highlights that the regulation applies in any of the following situations:
- Established in the EU (or somewhere else subject to EU law)
- Offering goods or services to individuals in the EU
- Monitoring the behavior of individuals in the EU
So if your an American company that offers goods or services to EU individuals you must ensure your business is compliant with GDPR regulation.
2. Non-business Organisations and GDPR
Although your organisation might not be running as a business, processing orders or even making a financial loss, you might still be required to comply with GDPR regulations.
Why would that be the case though? Is GDPR not just for big business?
This is a common perception, and one that we have explored in our article: “GDPR Compliance: Does it apply to SMEs?”. And it’s not just SME’s!
Non-business related organizations, such as Blog sites or clubs and societies that collect, process or monitor EU individuals also need to ensure that they are fully compliant with GDPR.
3. Time Limited Response to GDPR Requests
As part of the GDPR regulations, EU individuals have certain rights to their data. Businesses and Organisations must comply with these requests, adhering to specified timelines.
The legislation provides that access requests must be processed without undue delay and at the latest within one month of receipt, generally disregarding normal business-day or working-day limitations.
Don’t forget: The clock starts ticking as soon as you receive the access request!
Data Requests made by EU individuals can include the following:
- Right to request a copy of their data
- Right to request that their data is deleted permanently from your business/organisation
- GDPR regulations: Rights to access, portability and erasure
If you do not have structured and efficient processes in place to deal with these type of data requests, you could find yourself in a situation where you cannot comply within the specified timelines, you could under the regulators spotlight for a breach of the regulations and/or an associated fine.
How can my organisation improve its compliance?
All good businesses want to be GDPR compliant (AVG in the Netherlands), both for the legalities and for their Customers.
At Seahorse Data, we recommend that you regularly review how the following areas relate to GDPR:
- The type of your business’ or organisation’s activity
- The territorial origin of your Customers
- The systems and procedures you have in place to meet GDPR request timelines
Find Out More…
For more useful GDPR (AVG) related topics and tips like this, and to be the first to hear about our GDPR Compliance Products, why not follow us on Twitter @seahorseData