The General Data Protection Regulation (GDPR) impacts how companies manage personal data.
GDPR applies to “personal data” of EU residents, no matter where you are located. If you have even one customer in the EU, you are subject to the GDPR.
The EU defines “personal data” very broadly defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Violating GDPR can result in significant penalties: €20 million or 4% of revenue, whichever is higher.
Increasingly, companies rely on third party vendors to collect, process, and store personal data, such as:
• Website software that records IP addresses, visitor behavior, “contact us” forms, etc.
• Marketing and sales CRM databases, including email service providers
• Other spreadsheets, databases and documents that contain personal information
These companies are “data processors” of the personal information of your customers, and you are held responsible for any GDPR clause they may violate.
Step 1: Identify and prioritize vendors that process personal data that you control.
Step 2: Contact those vendors to request information on their compliance status.
Step 3: Assess vendor compliance.
Step 4: Work with noncompliant vendors to get them into compliance, or replace those vendors.