Many companies do business in the EU without having a physical business presence there. These companies have been able to collect, process, and protect their customers\u2019 personal information with little regard for the various EU privacy laws. As of May 2018, this changes with the enforcement of the General Data Protection Regulation (GDPR).\n\nWhat is GDPR?\n\nSince 1995 the EU has had a directive in place requiring member states to enact laws to protect personal information. The directive provides a framework for these laws. As you can imagine with 28 sovereign states, there are variations in how the laws have been enacted and how they are enforced. Additionally, businesses may need to interact with government officials, called data protection authorities or supervisory authorities, in each member state to legally perform the processing of personal information to run their operations.\n\nSeveral years ago, talks began to find a way to unify personal information protections across the EU as well as to ease regulator interactions for businesses. From these discussions, GDPR was developed and passed.\n\nGDPR is an EU-wide regulation for the protection of personal information related to individuals in the EU. It applies not only to organizations with a presence in the EU, but organizations that provide goods and services to people in the EU. This last scoping statement affects many unsuspecting organizations.\n\nThe risk of not complying with GDPR may result in fines up to 4% of your organization\u2019s global revenues.\n\nWhat is personal information?\n\nIn the U.S., while it is a good practice to protect all personal information you collect, most laws and regulations focus on sensitive information such as government-issued identification numbers, financial accounts, and health-related information. Generally speaking, there are few limitations on how information may be processed.\n\n[Related: General Data Protection Regulation (GDPR) requirements, deadlines and facts]\n\nThe definition of personal information in the EU is "any information related to an identified or identifiable natural person." This is very broad when compared to the enumerated definition used in most U.S. regulations. By default, you cannot process personal information obtained from someone in the EU unless there is a clear legal basis for doing so.\n\nThe EU has identified some types of information as special categories similar to the sensitive information described above for the U.S. The categories are very different from those in the U.S. and include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, and criminal convictions or offenses. The processing of these categories of data are, again, prohibited unless strict requirements are met.\n\nGDPR requirements\n\nIf you are providing goods and services to the EU, under GDPR there are several things you will need to consider, which include:\n\nGiven that your organization has not previously been exposed to this level of regulation for the collection, processing, and protection of personal information, these requirements may never have been considered by your organization.\n\nA data protection officer\n\nAn organization under GDPR is accountable for the protection of personal information. A data protection officer, or DPO, is fundamental to you successfully meeting this accountability requirement. The responsibilities of this role include:\n\nNaturally, a DPO must rely on many departments to actively participate in a data protection program. It is vital that the DPO achieve organizational alignment for data protection goals and be able to demonstrate to regulators organizational compliance with the data protection program.\n\nThe expectation is that a DPO has a level of independence within the organization. Also. the DPO should provide reports to the most senior level of the organization about the state of data protection and potential risks.\n\nGiven the size of your organization, a full-time DPO may not be required. The responsibilities of a DPO may be assigned to someone in your organization with other responsibilities or these responsibilities may be outsourced.\n\nWhat can you do now?\n\nGDPR enforcement is just around the corner. In fact, some EU states have begun incorporating components of GDPR into current law. If your organization has not yet started to prepare, there are steps you should take at once.\n\nStart with inventorying the categories of personal information you collect that may originate in the EU. This may include customer, vendor, and other stakeholder information including that from employees. Also name the processes that use this data.\n\nNext, attend a GDPR training to understand your obligations under the law. (Note: In full disclosure, Privacy Ref provides this training through our partners at CyberDefenses and the International Association of Privacy Professionals.) Alternatively, engage someone who is familiar with the requirements.\n\nUsing the inventory and newfound knowledge, you can perform a gap analysis to determine where you are compliant or where improvement is required.