7 Steps to GDPR for US Companies

The EU's GDPR impacts all companies doing business with EU citizens. Here are some important steps to take to ensure you’re on the fast track to compliance.

Guest Commentary, Guest Commentary

July 4, 2017

4 Min Read
Martin James, DataStax

The General Data Protection Regulation (GDPR) creates drastic and broad-sweeping changes to data privacy for anyone who is in the EU (not just citizens, but visitors and immigrants, as well) and for any company that retains EU customer data. The purpose is to ensure that data subjects have greater control over their personal information; including the right to actively consent to every use of personal data, the right to limit that use, the right to be forgotten, the right to have their data portable, and the right to seek damages should they suffer from misuse/breach of their data.

If you’re in a U.S.-based multinational enterprise doing business in the EU, you’re aware that the European (GDPR) deadline is May 25, 2018. You may also be painfully aware that you are not ready for the impending change. Gartner recently predicted that only 50% of companies impacted by the tough regulation will be compliant by the end of 2018. Non-compliant companies will face hefty fines of up to €20 million or 4 percent of global annual revenue, whichever is greater. Non-EU companies will be a particular target of these higher fines.

Preparing for the GDPR needs to start now. Here are some important steps to take to ensure you’re on the fast track to compliance.

Steps to take now

1. Determine if you’re a controller or a processor. This will shape your preparations. The regulation breaks out responsibility for protecting data into two roles: controllers and processors – and says that both parties are liable for upholding data subject’s rights. In some cases, you can be both controller and processor; or a controller that has multiple processors. Understand the GDPR definitions and get the advice of your legal team.

2. Audit your data. This is one of the most time-consuming tasks, but it reaps multiple benefits. Find out what data you have, where you have it, why you have it, how long you need it and any current processes for deleting it. Can you get a single view of your data subjects? There are database solution providers who can help you do this. A single view will be necessary in order to be able to “forget” (delete) a data subject’s info from everywhere you have it stored.

3. Work with your legal team and GDPR experts to determine which EU member state will be your supervisory authority. You will need to appoint a representative for your company who is established in your EU supervisory country. This person is the point of contact for all communications with the GDPR supervisory body.

4. If required, appoint a Data Protection Officer. Not all organizations need one, but given the vastness of the compliance requirements, it may be wise to have one. Make sure this person has the expertise you need.

5. Redesign what consent and disclosure looks like for your customers. Data subjects will need to check a box (or its equivalent) for every single use-case you have for their data. This includes profiling and big data purposes. They need to be able to select those they agree with and decline those they don’t, and you need to be able to comply and track their preferences in your systems.

6. Audit your third-party providers and re-evaluate service level agreements. Remember, if a third-party is not able to prove their GDPR compliance, the work they do for your EU data is illegal.

7. Consider where your data centers should be. Some companies are moving data centers to the EU to comply; some cloud-based database providers are able to easily discern and segregate EU data for you.

No doubt GDPR compliance can be overwhelming but the GDPR can ultimately benefit your company. Consider making GDPR standards the standard for your company around the globe. Improved data efficiency, better data protection, better relations and trust with customers – all of these things have the potential to push your company to the forefront and better secure you against future pain of data breaches.

Martin James is Regional Vice President, Northern Europe at DataStax, where he is responsible for the company’s go to market strategy and sales performance. Previous to DataStax, Martin held roles in sales leadership for companies across the data, analytics marketing and cloud sectors.

About the Author

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights