The best way to conform to the EU’s new privacy regulation is to assume that you don’t need to hold on to personal data, versus the opposite.
The General Data Protection Regulation (GDPR) has been in effect since May 2018, and companies that have done their due diligence to comply with the regulation may feel confident they have their bases covered. However, GDPR compliance rules are not as simple as they might seem at first glance, and there are special use cases that every company should consider. If compliance officers rush through checking the boxes and do not carefully assess the scope of GDPR, and how it relates to the company’s data collection practices, they most certainly will have holes in their compliance plan.
Here are three examples of frequently overlooked compliance issues that could put companies at risk.
1. It’s not just about consumer dataGDPR was designed to create more protections for consumers whose data is collected by different companies. But the scope of the regulation is much more expansive and can be applied in ways many companies didn’t account for in their initial compliance plans. In addition to consumer personal data, companies are also required to handle the personal data of employees, job applicants and non-customers (e.g., people who fill out a form but don’t purchase) with a new standard of care.
The regulation mandates that all data processing activities have a legal justification, so the best practice is to collect only the data that is necessary for essential data processing activities for consumers, job applicants, and everyone in between. Companies should evaluate their data processing practices with the goal of data minimization in order to stay compliant with GDPR.
Recommendation: Don’t just review data capture practices; review data retention practices for all data. Make sure you’re properly disposing …
Author: Jason Wang Founder & CEO, TrueVault