If you've found your way here, you've probably already heard that the European Union's General Data Protection Regulation (GDPR) becomes enforceable starting May 25th 2018. The GDPR applies to companies who use or keep any personally-identifiable information (PII) of people living in the EU.
PII is a legal concept that generally refers to any piece of information that can be used to identify, find, or otherwise reach a specific person. The GDPR asserts its own definition of PII that's fairly vague and wide-ranging. This is an aggressive position that gives the GDPR lots of room to pursue its mandate.
Compliance with GDPR directives is a business concern. Information technology concerns are closely related, but the GDPR covers much more than that. GDPR compliance should happen from the top down, throughout your organization. The person to offer the most valuable counsel in this area is likely to be a privacy attorney.
The GDPR refers constantly to the act of "processing" PII. Think of this as meaning "doing anything with it": obtaining it, recording it, storing it, updating it, and sharing it. This means that the most important element to achieving GDPR compliance is making sure that your organization has human processes and computer systems in place for identifying and documenting all of the personal data that the organization processes.
The specific actions necessary for your company to take will depend on the specifics of its operations relevant to the European Union; essentially, the specifics of all scenarios where the company receives or sends out any PII of any EU citizen. The broad expectation of a compliant organization is that it can account for all PII, the permissions granted to use it, and the reasons given for using it.
In general, this is accomplished by creating policies and procedures that are designed to track the when, where, and why of PII coming into your company, moving around within it, and being sent from it. The design of the regulation stems from the consumer rights its asserts:
- Right to be informed
- Right of access
- Right to rectification and data quality
- Right to erasure (aka right to be forgotten)
- Right to restrict processing
- Right of data portability
Visit the official website about the GDPR to learn more about these rights and the GDPR.