As of May 25, GDPR is the law in the European Union.\u00a0 Any corporation that stores or captures private date of European data subjects must comply with the General Data Protection Regulation.\u00a0 Of course, that\u2019s no problem because your organization is already 100% good to go, right?\u00a0Just in case that isn\u2019t true, now is the time to take a closer look at key areas in which most organizations are vulnerable to a possible GDPR privacy breach.\u00a0 While GDPR rules are indeed a hot mess, you can begin to achieve more clarity by focusing on some adjustments that will help you reduce risk.\u00a0Scrutinize these functional areas for vulnerabilities and recommended GDPR fixes:MarketingMarketing teams often store personal data for individuals as part of the effort to get the word out about products or services.\u00a0 While that is allowed under GDPR, you will need to add some new checks and balances to this process.\u00a0 Namely, it is important that individuals are notified that you are capturing and storing their private information \u2013 including email addresses \u2013 and that they have the option to have you remove this information.\u00a0 The notification part can be done on the same webpage where you are asking for their information.\u00a0 For the existing list of contacts, you will need to send them an email that notifies them that you are collecting their information and give them the ability to opt out, in which case you will then remove their data.\u00a0 You will want to make sure that your customer and contact databases have the ability to remove customer data when they request it.\u00a0SalesIf a customer has an ongoing relationship with you for support or continued payments, you are not required to remove their information if\/when they request, because you have an ongoing business requirement, or a contractual obligation to maintain that information.\u00a0 GDPR requirements are specific to individuals not companies.\u00a0 As business contacts change within a company, you will need to modify the contact information, especially when requested by the person whose data you are storing.\u00a0 If a contact person at a company requests that you remove their specific information, you need to do so without jeopardizing the corporate account.\u00a0 Additionally, you will need to keep an audit log of the fact that you removed the individual\u2019s personal information \u2013 which is a bit tricky.\u00a0 How can you have an audit log that says, \u201cI remove Pete Green\u2019s information\u201d without mentioning Pete Green\u2019s name?\u00a0 Well, the EU has finally determined that it is okay to mention Pete\u2019s name in the audit log as the person whose personal details you removed from your main systems.\u00a0Vendors\/suppliersIt is vital that you have a Data Processing Addendum (DPA) to augment your vendor agreements.\u00a0 This addendum needs to spell out the types of data that the vendor may be required to store on behalf of your customers and the requirements that you have in place that they need to follow.\u00a0 Data privacy addenda have been all the rage over the past few weeks.\u00a0 You\u2019ve probably thrown away several from your email inbox. \u00a0The legal basis for this is that you can represent to your customers that you are holding your vendors accountable at the same level with which your customers are holding you accountable.Human resourcesTraining is an important part of demonstrating GDPR compliance.\u00a0 Your employees need to be trained on how to handle customer private data and you need to maintain records of who got the training and when.\u00a0 There are several good resources available for computer-based training.\u00a0 Check out Pluralsight or Wombat Security. \u00a0Privacy isn\u2019t just for your customers. Your employees have privacy rights also. The extent of these rights varies by country of origin in the European Union and may extend to expatriates living outside their home country.\u00a0 It is important to put together a policy that incorporates your employees\u2019 data as well as the vendors you might use to process employee information.\u00a0 Remember to include companies that process health insurance, retirement plans, dental and life insurance, background screening, legal and other services you offer to your employees.\u00a0 All these providers need to treat your employee data securely and in compliance with GDPR standards.\u00a0LegalContracts need to be reviewed for the correct privacy language.\u00a0 You have a responsibility to hold all your suppliers to the same standard of privacy protection that you provide to your customers, so you need to review with your vendors how they protect privacy, particularly if your vendors have the ability to see or modify your customers\u2019 data.\u00a0 Make sure you have the right language in your DPA and that you provide this to your suppliers, channel and product partners.\u00a0Now\u2019s the time to get control of GDPR!This is not meant to be an exhaustive list of everything you may need to do.\u00a0 It is more a discussion about some of the main areas where most businesses are vulnerable and some ideas about how to get compliant. The rules for GDPR compliance can be daunting and will need to be adjusted as companies find issues and loopholes.\u00a0 The most important thing is to get started.\u00a0 Just because the rules are confusing doesn\u2019t mean the application of privacy principles needs to be.\u00a0 With some simple adjustments you can make sure your company is well set for safeguarding privacy for customers, employees and partners.