What is The General Data Protection Regulation and do You Need to Comply?
Hint: Yes, you do.

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) will take effect on May 25th 2018 and will protect all citizens in the European Union.  This means that even though a company may not be based in the EU, if the company collects data on EU citizens those citizens are protected under the GDPR.  Failure to comply with GDPR can result in a fine of $20,000,000 Euros (close to $24,000,000 USD) or 4% of annual worldwide turnover - whichever is GREATER!  This is obviously very serious and all companies that collect customer data should be aware of this new regulation and take steps to comply with it.


Review and Revise your privacy policy. Update the privacy policy to reflect the GDPR.  Detail why you collect customer data and be very specific on what you are using it for.

http://www.marriott.com/about/privacy.mi (notice all the hidden divs)


Audit all of your personal data.
How is it being collected and where is it stored?  Do you have proof of consent?  Does it reside in any archived backups?  How long is it necessary to keep it?  Review you data collection procedure and data storage.  Treat customer data as a liability and consider having a third party store all customer data.  The locations of all customer data must be known and documented. 
Delete any customer data that is no longer necessary.

Recollect customer data.
If any data was collected in such a way that was not compliant with GDPR or there is not proof of consent, that data should be recollected in a way that falls under the guidelines of GDPR.  The data subject must explicitly give provable consent to the data processor before their data can be processed. Additionally, the data must only be used for the purposes that consent has been given.

Put an entity or person in charge of your customer data.
You may want to hire or appoint someone as a Data Protection Officer, or consider hiring a 3rd party data store to house all of the sensitive customer data. 

Develop a plan for customer data removal.
One of the hardest parts of GDPR compliance will be the right of a customer to be forgotten.  When a customer requests to be forgotten, every trace of that customer's data across all systems needs to be removed.  This includes anywhere the customer's information is either written down or printed out on paper.  Those documents would need to be shredded.  Any customer data that resides on backups would need to be removed as well.  Develop a plan to take care of these requests.

Consult a Lawyer.
The consequences can be severe if you don't comply with the GDPR.  It would probably be best to consult with a professional for legal advise on this issue.  Are the steps that you are taking enough to keep you from being liable?