GDPR Compliance Solutions Services

The General Data Protection Regulation (GDPR) is one of the most rigorous standards for the collection and use of personal information (PI), otherwise known as personal data.

Previously, only companies based in the European Union (EU) collecting personal data from EU citizens needed to follow this standard. Now, any company doing business in the EU needs to comply with it, including companies based in the United States.

General Data Protection Regulation Compliance

GDPR compliance became mandatory on May 28, 2018. Its purpose is to allow EU residents to better control who uses their data and why. The standard also helps improve data security in part by creating a unified standard for PI for companies who do business in the EU.

At Solvere One, our team helps US companies nationwide implement successful measures to comply with the GDPR and avoid penalties.

The GDPR considers personal data to include any information that relates to an individual or can be used to identify an individual directly or indirectly. Understandably, this is a broad definition, so the GDPR provides some specific examples:

Penalties for Non-Compliance

Being ignorant of the GDPR isn’t considered an excuse for non-compliance.

If you’re a US company collecting personal information from EU residents, you must follow protocol or face financial ramifications.

The fines cannot exceed 20 million euros or 4% of global revenue, whichever number is higher.

In addition, any EU citizens affected by your misuse or compromised security of their information can seek damages.

• Restrictions on the use of data.

  Companies must abide by certain principles for personal data use, including processing transparency, only using personal data for specific purposes, and only keeping data long enough to fulfill that purpose. You must process information in such a way to ensure security and confidentiality.

• Be able to show compliance.

  If you’re GDPR compliant but can’t prove it, then you aren’t considered compliant. There must be proper documentation to demonstrate your compliance and avoid penalties.

• Apply appropriate technical and organizational measures.

  You must consider data protection when creating any new product or service under the GDPR. Technical measures could include requiring password best practices for employees, while organizational measures could mean adopting new privacy policies regarding PI or controlling employee or third-party access to PI.

• Notify subjects when something goes wrong.

  In the event of a security breach, the GDPR gives you 72 hours to tell the victims. However, if you encrypt personal data—reducing the chances that someone would be able to use it—you may be exempt from this requirement.

• Data processing must be justifiable.

  There are six instances in which the GDPR considers using personal data acceptable, and you must meet at least one of them to be able to process data. These include unambiguous consent, preparing a contract in which the person is a party, and performing a task in the public interest, among others. If the reason for justification changes, it must be documented and the subject notified.

This is not a complete list. You must also have consent from the individual to process their PI, as defined by the GDPR. This means permission is given freely and clearly, and subjects can decide to renounce their consent at any point. Your business may also be obligated to appoint a Data Protection Officer (DPO), a person responsible for maintaining GDPR compliance at your organization.