May 25 is the launch day for the European Union’s General Data Protection Regulation, or GDPR. While the intent, seemingly benign, is to protect the privacy of EU citizens, the GDPR has sent waves of panic to companies all over the world. That’s because it applies to any and all companies that collect personal data on EU citizens, even if those citizens live in another country. For example: if an e-commerce merchant based in Chicago sells a product to a French citizen, that citizen’s data is subject to GDPR, and it’s the merchant’s responsibility to comply with the regulation or face the consequences. For industries that are global in nature, like financial services, hospitality, pharma, retail, defense, etc., the effect will be enormous.

What Changes Will Be Necessary?

Obviously, companies that gather and store personal data will have to double down on the compliance front. The GDPR includes what is commonly known as “the right to be forgotten” so companies will have to know what information is in their databases and who it belongs to. If a person demands that his or her personal information be purged, then the company will be solely responsible for finding it and erasing it. For that reason, it’s essential that companies do these four things:

1. Assess the Data That You Have

Who does it belong to? How many of your “data objects” are residents of the EU? (And, remember, they can be living anywhere, not just in the EU.) Perhaps most importantly, who is custodian of your data? At the end of the day, your data custodian (whether internal or third-party) will be you point player on compliance issues.

2. Put Together a Project Plan

Do you have executive buy-in for the measures you are going to have to take? Have the executives been fully briefed on why this is necessary? Will it be necessary to hire a professional person or staff to implement and enforce whatever steps you adopt? Have you considered how you will handle employee data?

3. Procedures, Monitors and Controls

Is you data security team fully versed on their duties and accountability for GDPR compliance, and are they well-trained enough for the task? Will you be able to handle requests from individuals who want to see what personal data you are holding? Will you be able to delete the data if and when they request it? Are you reviewing your data regularly, keeping it updated and making sure it’s easily retrievable?

4. Documentation

Are your internal procedures thoroughly documented? Are your policies on data handling specific, measurable and actionable? Does any third party that may process or even touch your data know its responsibilities regarding GDPR? Do they know your policies and are they in compliance with them?

Summary and Conclusion

In a short article like this, it’s impossible to examine all of the ramifications of GDPR non-compliance. Suffice it to say it can be draconian. But, there are also some unique — some would say unfair –requirements. For example: If holding personal information on a specific person is deemed to be in the interest of national security or law enforcement, then deleting that information violates GDPR. This leads to a dilemma, as how is the data custodian to know if a data object is important to law enforcement or national security?

Clearly, GDPR is going to cause some challenges and some headaches, but as it evolves, its over-arching objective — to protect the identity of individuals and prohibit unauthorized usage of same — will remain a goal worth striving for.