With the new General Data Protection Regulation (GDPR) in effect, companies across the globe are attempting to discern whether the new law applies to their business, and if so, how they can become compliant as to avoid any potential fees.
As usual, massive regulation is yielding little guidance. To shed some light on this issue and get to the bottom of the newly enacted laws, Vendor Centric CEO Tom Rogers interviewed Alan Tilles, Partner at the law firm Shulman Rogers. Alan is an expert in data privacy and telecommunications law, and has been supporting businesses across the U.S. to get compliant with the GDPR.
Here are a few of the highlights from the interview.
- GDPR is intended to give the owner of private information (PI) the right over who has access to it, as well as the right to be promptly notified if it was breached. It became effective May 25, 2018.
- Many, if not most, U.S.-based establishments need to be compliant with GDPR. ”Even if you think you don’t conduct any business in Europe, Alan suggests you ask yourself these four questions before you ignore it completely:
- Do you take credit cards?
- Do you not restrict who you take credit cards from?
- Do you do business with non-U.S. citizens?
- Do you have a mailing list?
- There are significant penalties for noncompliance. Some of the sanctions that can be imposed on companies include a fine of up to 10 million euros, or 2% of annual worldwide turnover of the preceding financial year, whichever is greater; or up to 20 million euros or 4% if infringement of other provisions occurs.
- Alan advises to start simple – update your privacy notices on your website. One of the changes in GDPR is that website privacy notices must be more informative and be stated in plain English.
- One other key point noted was that companies need to ensure certain vendors are complying with these regulations too. “If vendors are doing things like processing credit cards or creating mail lists for you, it’s your responsibility to ensure that they are complying on your behalf.”
Listen to the full interview with Alan Tissel by listening to our podcast titled, “GDPR and Vendor Management: Rethinking Privacy.”