General Data Protection Regulation (GDPR) Learnings
1. The goal of the GDPR is to protect EU citizens (“data subjects”) from privacy and data breaches.
2. GDPR affects both “data controllers” and “data processors”. Data controllers are organizations with relationships with data subjects and determine the purpose and means to process personal data. Data processors are organizations that work for data controllers to process personal data, including collection, storage, transfer or use. The responsibilities of each role need to be considered separately, and controllers are responsible to ensure their processors comply with GDPR.
3. Processors are subject to GDPR regardless of their physical location. However, GDPR does not require personal data to stay in the EU, provided certain conditions are met.
4. A data subject could include a current, former or prospective employee, customer, contractor or supplier.
5. You need to carefully consider every place you may process and/or store personal data. For Passportal this included our four core products, but then also extended to our sales tools (Salesforce and Hubspot), payment processor (Stripe), communication tools (Office 365 and Slack), Partner success tools (Atlassian), finance tools, and hosting services (AWS). If we had staff in the EU it would also apply to Human Resources tools.
6. If GDPR does apply to you, it is applicable from May 25, 2018 and potentially has very large fines if you don’t comply.
7. Becoming compliant is not that scary but requires a methodical approach, and there are now lots of resources available to support you, including:
- The official GDPR site https://www.eugdpr.org/;
- This useful site from the UK https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/;
- This good summary from RSA https://www.rsaconference.com/videos/virtual-session-gdpr-without-the-hype; and
- All major data processors (e.g AWS, Salesforce, etc.) have resources available online.