I have had the opportunity to speak at various times on privacy law, most recently being a spate of presentations on New Mexico’s new breach notification law.

Unfortunately, the real 600-pound gorilla in the room is the impending GDPR: the European Commission’s General Data Protection Regulation.

In the simplest terms, if you have or intend to hold personal data of an individual who is either a citizen of the EU, or is currently residing in a nation of the EU, you are required to follow this law.  It is truly a long-arm law that has sweeping implications for the entire world.

Now, with that said, the impacts to your organization are entirely predicated on whether you’ve been handling personal data in a responsible manner all along, and in compliance with the patchwork of state laws established here in the U.S.

If you have, then GDPR really just asks you to ‘step up your game’ a little – such as faster turnaround time on notification – but the crux of what has to actually be done by your organization doesn’t change too much.  This is otherwise considered the ‘high watermark’ tactic, and probably makes the most sense for most small enterprises where the personal data itself is not actually part of the business model (versus companies that have Facebook or Google-like models of selling and making money off of that personal data).

Now, if you just can’t stomach the EU’s stance that privacy is a right (unlike the U.S., where it is most definitely not), then you’ll probably have to seriously consider segregating your operations and data, or recruiting professionals who can reconfigure many of your business processes, data storage, and data flow/handling mechanisms.  For example, the EU uses opt-in (the customer has to proactively give permission for you to retain or use their data), versus the opt-out that is more often used in the U.S. (the customer’s data can be used in accordance with the company’s privacy policy unless the customer specifically opt out of the usage or cease business with the company).

There’s a lot of articles on the Internet right now trying to get everyone ready, since we’re less than a year out from compliance, and the possible fines for non-compliance are potentially ‘door-closing’ in size.  With that said, here’s a few quick articles to whet your appetite…