Loading...

Is Silicon Valley Ready for the GDPR? Are You?

By Angela Polania

After the approval of the GDPR on 27th April 2016, the grace period to comply with the new regulations is approaching rapidly (Enforcement date: 25th May 2018).

Unsurprisingly, a large number of organizations are still yet to be compliant with the EU GDPR.

The main reason for this unpreparedness may be found in the senior management’s attitude towards the GDPR. Most of the time, the majority do not think and have not considered that the law applies to them. Some may see the deadline as a suggestion and they are waiting to see what happens with them in order to take action, and others do not even know what to do. However, from what I see, many organizations are concerned to know whether the GDPR applies to them, and if so, to what extent, since the GDPR applies to any service provided and available in the EEA (Economic European Area). Thus, if your organization is servicing or delivering to European residents, you may be required to comply, regardless of the location of your organization or where your systems processed the information.

In recent news, we see how Facebook is pushing to comply with the GDPR and will soon be extending those safeguards to everyone, regardless where they are located (brought to you by the Cambridge Analytica fiasco). On the other side of the spectrum, we see how Google is using the GDPR to impose unfair terms to their publishers, something that may be happening to you as well.

So, are the U.S. organizations ready for the GDPR?  It appears that many organizations’ efforts are limited to reviewing and updating their privacy notice (privacy policy), but does this really mean that they are safe from the GDPR fines? The GDPR can fine up to 2% of the organization’s annual revenue of the prior financial year for improperly set controls and up to 4% of the worldwide annual revenue of the financial year for the breach of the basic principles of data processing and transfer.

Is your company searching for the way you capture, store, process, transmit, archive, and delete the data of the EEA residents and citizens? For that matter, do you even know if you have the EEA resident’s data in your systems? Do you know where your data is? What kind of data do you have? Is the data protected? Do you have any processes in place to respond to the EEA residents, who would be exercising their right to be forgotten or declining their consent for their data to be exported, or simply requesting their data to be deleted. Has your organization reviewed and updated the clauses in your contracts for new and existing clients? Especially, with any third party provider acting as data collector, processor or simply storing your data (e.g. Cloud)?

It will be interesting to see, which companies will be the first to be examined and made an example by the regulators. Will it be Facebook? Or perhaps Google, since they already had problems with the previous European DPA? Or maybe another Silicon Valley/ tech organization?

Coming this May 25th, maybe the regulators will send a strong message by fining large companies as they pose the highest risk and will serve very well as an example. It is highly probable that the European regulators will also target known small and medium size organizations as to make sure everyone understands that the GDPR applies to all, not just to large companies.

Every organization is unique but, I hope, that your organization has at a minimum:

  • Updated the privacy notice (privacy policy) in plain- English and any other EEA language, where you provide service or deliver products.

  • Developed an internal privacy policy defining how you comply with the requirements and your processes.

  • Updated the way you capture information about the data subjects in your website (e.g. explicit cookie consent, IP capture consent).

  • Updated your contracts with applicable clients and third parties that provide, store or process any personal identifiable data of E.U citizens for/to you.

Elevate can be your trusted advisor on the GDPR

Find Out More!
Find Out More!
2018-05-03T08:07:12+00:00