There is no one size fits all solution to GDPR compliance. Any legitimate solution begins with a comprehensive review of your data collection, use, storage, security, processing, update and removal practices.
Once you understand your own data practices, only then can you begin the process of determining the most appropriate customer notice provisions for your privacy policy.
GDPR compliance is not a set once and forget compliance task. Rather, it requires and will continue to require the ongoing examination and evaluation of your policies and practices as to all EU data.
The GDPR is an European Union law. How is my company affected?
The GDPR applies to any company offering its goods or services to EU data subjects. Enforcement is granted to non-profit entities to whom EU data subjects can assign their rights. It is expected that such entities will be driven by the plaintiff's bar and motivated by financial gain to pursue violations around the world based upon local laws based in part upon the violation of "any" law. How courts will deal with this issue remains to be seen, however, common expectation is that compliance may well be required via local jurisdictions.
What are the potential penalties for non-compliance?
The GDPR has two levels of penalty that can be imposed contaning large maximum penalties or a percentage of gross worlwide annual revenue. It remains to be seen whether the penalty componants of the GDPR will apply outside of the EU and to what extent.
What is involved in the process of bringing my company into compliance?
The GDPR is probably the single most comprehensive privacy law enacted to date. Compliance can take many forms depending upon data that your company collects, how it is used, why you collect it, how long it is kept, how it is protected and how your company decides to accomidate the individual rights granted to GDPR data subjects. Our process involves guiding you step by step through investigation, reporting, policy making and communication with your employees and customers. The cost and length of the project is highly dependant upon the number of data classes you have and your decisions as to how you wish to implement the newly established rights that may be applicable. We also review and update your Customer Acquisition Process to help ensure that your policies are properly implemented.
The compliance deadline was May 25, 2018. Am I in trouble and is it too late to comply?
The GDPR grants a set of specific rights to EU data subjects. Only by going through the process of evaluating your data can you determine any specific violation and evaluate your risk. It is not too late to determine your need to comply or to comply if necessary. If there is a need to comply, the longer you wait to bring your company into compliance the greater risk there is and the chance that a larger penalty could apply for the failure to do so.