Do you have an office or other operation in the European Union? Does your business sell products or services in the European Union? If you monitor, collect, or maintain personal data within the European Union, you need to ensure that your company complies fully with the requirements of the General Data Protection Regulation (GDPR) for the European Union. Steps that our South Carolina compliance lawyers advise you to take to determine if you are GDPR compliant include:
1. Updating Your Privacy Policy
If you collect data from any individual, you must provide that individual with an explanation of your collection practices and notice of their rights. However, updating your privacy policy is only the first step in becoming GDPR compliant.
2. Adopting or Reviewing Internal Security and Data Policies
In addition to a public privacy policy, you should also have an internal policy regarding data collection and data protection. The policy should cover procedures for responding to a data breach. Do not forget to include GDPR requirements for responding to a data breach, such as the mandatory notification of breaches to supervising authorities within 72 hours. Employee data collection policies should comply with all federal, state, and GDPR requirements for collecting and storing an employee’s personal data.
3. Reviewing Contracts and Agreements
All contracts and agreements should address GDPR requirements. The GDPR requires you to have written contracts with any companies, individuals, or services that handle the data you collect and maintain.
4. Re-Assessing Security Measures
Compare your data security measures to the industry standards for protecting data. Several data privacy frameworks can provide a guideline for ensuring your security levels meet the GDPR requirements. Reviewing Article 32 of the GDPR can help you assess the security of your data encryption, processing systems, storage, testing, and backup systems.
5. Adopting Procedures for Purging Data
The GDPR limits the time you can store an individual’s data without a valid reason for maintaining the data. You need to review the GDPR guidelines for maintaining and purging data to ensure your procedures comply with the GDPR laws. Your purging process should also include steps for destroying data that is no longer needed and that complies with the GDPR rules for disposing of and destroying personal data and information.
6. Keeping Detailed Record Keeping
You should maintain detailed records of the steps you take to comply with GDPR requirements. Your records should reflect the steps you have taken, and you are currently taking to comply with the GDPR. As you continue to comply with the law, maintain records of your efforts toward compliance to mitigate the risks of non-compliance if a complaint is filed against your company.
Our South Carolina Business Compliance Attorneys Know GDPR
It can be difficult to know if you are GDPR compliant, especially if you are a small business that has not instituted detailed data privacy procedures. Larger companies may believe their policies for data collection are sufficient; however, they may not be GDPR compliant.
Contact our South Carolina business compliance lawyers at Willcox, Buyck & Williams, P.A. Our South Carolina business law attorneys help businesses evaluate their privacy policies and data collection policies to ensure they are complying with all GDPR rules and laws.