Is Silicon Valley Ready for the GDPR? Are You?
By Angela Polania
The main reason for this unpreparedness may be found in the senior management’s attitude towards the GDPR. Most of the time, the majority do not think and have not considered that the law applies to them. Some may see the deadline as a suggestion and they are waiting to see what happens with them in order to take action, and others do not even know what to do. However, from what I see, many organizations are concerned to know whether the GDPR applies to them, and if so, to what extent, since the GDPR applies to any service provided and available in the EEA (Economic European Area). Thus, if your organization is servicing or delivering to European residents, you may be required to comply, regardless of the location of your organization or where your systems processed the information.
In recent news, we see how Facebook is pushing to comply with the GDPR and will soon be extending those safeguards to everyone, regardless where they are located (brought to you by the Cambridge Analytica fiasco). On the other side of the spectrum, we see how Google is using the GDPR to impose unfair terms to their publishers, something that may be happening to you as well.
Is your company searching for the way you capture, store, process, transmit, archive, and delete the data of the EEA residents and citizens? For that matter, do you even know if you have the EEA resident’s data in your systems? Do you know where your data is? What kind of data do you have? Is the data protected? Do you have any processes in place to respond to the EEA residents, who would be exercising their right to be forgotten or declining their consent for their data to be exported, or simply requesting their data to be deleted. Has your organization reviewed and updated the clauses in your contracts for new and existing clients? Especially, with any third party provider acting as data collector, processor or simply storing your data (e.g. Cloud)?
It will be interesting to see, which companies will be the first to be examined and made an example by the regulators. Will it be Facebook? Or perhaps Google, since they already had problems with the previous European DPA? Or maybe another Silicon Valley/ tech organization?
Coming this May 25th, maybe the regulators will send a strong message by fining large companies as they pose the highest risk and will serve very well as an example. It is highly probable that the European regulators will also target known small and medium size organizations as to make sure everyone understands that the GDPR applies to all, not just to large companies.
Every organization is unique but, I hope, that your organization has at a minimum:
Updated the way you capture information about the data subjects in your website (e.g. explicit cookie consent, IP capture consent).
Updated your contracts with applicable clients and third parties that provide, store or process any personal identifiable data of E.U citizens for/to you.