The General Data Protection Regulation (GDPR) has been active for several months, coming into force on May 25, 2018. If you noticed a stream of emails around that time from websites notifying you about their new privacy policies, the GDPR is the root cause. Should you be concerned about GDPR compliance for NJ businesses?
In short, the GDPR seeks to give citizens and residents of the European Union more knowledge and control over how companies use their personal data. Any organization that does business with EU citizens or residents—even those located outside the EU—must comply with the terms of the GDPR or face the risk of fines and other penalties.
Even if you’re located in New Jersey, the GDPR still affects you if you’re a multinational business. In this blog post, we’ll discuss the topic of GDPR compliance for NJ businesses and what you need to do for your organization to meet the terms of the GDPR.
What is the GDPR?
The GDPR seeks to standardize data protection rules across the 28 member states of the EU. In doing so, the authors of the GDPR aim to give EU citizens and residents more rights concerning their personal data and make companies more accountable for how they handle it.
As defined by the GDPR, “personal data” includes sensitive information such as your Social Security number and payment cards. However, it also consists of any information that can be used to identify a specific person: first and last name, physical address, ID numbers, and even online identifiers such as your computer’s IP address and cookies.
The state of New Jersey has released a GDPR guide for NJ businesses that can help summarize the main effects of the GDPR:
- Data processing: Data must be processed “lawfully, fairly, and in a transparent manner.” Users must be aware of what kind of information organizations are collecting about them, and how the data is processed once it’s in their possession.
- Data storage: Organizations must be able to justify why they need to store and retain personal data. Users also have the right to data portability: the ability to obtain their personal information in a common standard that can be easily exported to another system.
- Data security: Users must be confident that organizations will store their data safely and responsibly. In the event that a data breach is discovered, organizations must notify the affected individuals within 72 hours.
- Data removal: Any users can request an organization to delete their personal data (also known as the “right to be forgotten”). In addition, information can be retained only for as long as the organization can continue to justify keeping it.
Why Should NJ Businesses Comply with the GDPR?
As mentioned above, the GDPR applies to every company that does business with EU citizens and residents, even those located outside the EU. If you store the personal information of EU “data subjects,” you must comply with the GDPR.
The consequences of GDPR non-compliance can be costly. As high as 4 percent of annual revenue or 20 million euros for the most serious infringements, whichever is greater. While it’s unlikely that a minor first-time offense would be penalized so harshly, the European Commission retains the right to levy these highly dissuasive fines.
Since the GDPR has already come into force in May 2018, you may already be in violation of the terms of the regulation. However, the sooner you make serious efforts to bring your company in compliance, the more lenient the European Commission is likely to be in the event of a complaint.
Complying with the GDPR: A Checklist
If you’re not certain what steps your organization should take to become GDPR-compliant, we’ve provided the checklist below for you to follow.
- Verify that you’re impacted: If your organization has customers who are EU citizens or residents, or if you store data about such individuals, then the terms of the GDPR apply to you.
- Review your current policies: Your cybersecurity policies need a review to ensure that users’ sensitive and confidential information is protected in the event of a data breach. While the GDPR does not mandate using technologies such as encryption, it remains a strong option to keep data secure during transit and at rest.
- Audit your current data: Go over the personal information that you currently collect, process and store. You should be able to justify retaining all of this data in a manner compliant with the GDPR, or else you must delete it.
- Assign a Data Protection Officer: The GDPR requires all organizations to designate a Data Protection Officer (DPO) who manages their company’s GDPR strategy and implementation.
- Reach out to technology partners: If you don’t feel confident that you have the in-house staff necessary for GDPR compliance, contact trusted, knowledgeable IT partners who can help advise and guide you.
GDPR Compliance for NJ Businesses
The question of GDPR compliance for NJ businesses is less straightforward than you might believe. While the broad aims and objectives of the GDPR are easy to understand, the exact details of implementing compliance will differ for each organization. Schedule a free consultation with the experts at Techwerxe today to find out how we can help you along the way on your GDPR journey.