As a professional services business owner who provides IT services to organizations in Rhode Island, Massachusetts, and Connecticut, I never expected that I would spend 40-50 hours becoming intimately acquainted with a new law passed by the European Union. But that’s exactly what I have done since the rollout of the General Data Protection Regulation on May 25th, 2018.
I don’t have any European clients and very few of our clients actively transact with anyone residing in the European Union. However, since the implementation of GDPR and its effect on citizens of all European Union countries, there are many implications for my company and the companies we service.
As an overview, the law was enacted to protect the personally identifiable information (PII) of citizens from European countries. In order to meet these obligations, it may be prudent to use a cloud-based tokenization solution to pseudonymize data within your internal systems. By using such techniques offered by companies such as TokenEx, you can virtually eliminate the risk of data theft and retain much of the business utility of your data.
Any business that collects and stores this information is subject to a number of other requirements as well. These requirements include:
- Stating how information will be used in advance of collection
- Providing users an opportunity to opt-in and consent to have their information captured
- Purging the data when the business’s reason for collecting the data has expired (i.e., a warranty period)
- Sending users the information that has been collected about them upon request (they then have the right to send the information captured to any other company)
- Outlining a clear and effective process that users can follow to have their data erased, which can be tricky when it comes to data backup systems (i.e., if the data is erased from the current database, how does it get removed from any prior backup copies?)
- Notifying users in a timely manner in the event that your database is breached
As a general rule, you must protect the interests of your customers or prospects about whom you have identifiable information. If your website collects information about visitors and leaves cookies on visitor’s systems, you have to follow these requirements whenever any EU citizen visits your website.
Since the Facebook/Cambridge Analytica scandal, it is likely that the requirements for data privacy are going to become law on this side of the pond, as well. If you haven’t already started a dialogue with your IT support team, it may be a good time to start. While I think the chances of getting caught for non-compliance may be a long-shot, the fines can be astronomical.
Not sure where to start? Reach out to a NetCenergy representative, and we’d be happy to start a conversation about data protection and compliance.