I have had the opportunity to speak at various times on privacy law, most recently being a spate of presentations on New Mexico’s new breach notification law.
Unfortunately, the real 600-pound gorilla in the room is the impending GDPR: the European Commission’s General Data Protection Regulation.
In the simplest terms, if you have or intend to hold personal data of an individual who is either a citizen of the EU, or is currently residing in a nation of the EU, you are required to follow this law. It is truly a long-arm law that has sweeping implications for the entire world.
Now, with that said, the impacts to your organization are entirely predicated on whether you’ve been handling personal data in a responsible manner all along, and in compliance with the patchwork of state laws established here in the U.S.
If you have, then GDPR really just asks you to ‘step up your game’ a little – such as faster turnaround time on notification – but the crux of what has to actually be done by your organization doesn’t change too much. This is otherwise considered the ‘high watermark’ tactic, and probably makes the most sense for most small enterprises where the personal data itself is not actually part of the business model (versus companies that have Facebook or Google-like models of selling and making money off of that personal data).
There’s a lot of articles on the Internet right now trying to get everyone ready, since we’re less than a year out from compliance, and the possible fines for non-compliance are potentially ‘door-closing’ in size. With that said, here’s a few quick articles to whet your appetite…