We’ve all been hit with endless offers of GDPR webinars and product pitches, so I’m not going to repeat the stuff you can find there. But there are some big-picture points you might not have picked up yet, and they’re worth summarizing here.
Point #0: Talk to your attorneys. Even though the regulations may seem irrelevant to you and your business, ignorance of the law is no excuse … and is definitely not bliss. Even if you do no business in Europe, your business is likely to be affected by GDPR and could incur penalties. Why? Because there are plenty of ways that European citizens can get their data into your systems without your knowledge, and if they’ve done so you’re supposed to be complying with the new regulation. And the penalties for non-compliance can be surprisingly high. That said, none of this has been tested in court or regulatory appeals yet, so it’s going to be murky territory for a while. Pay your attorneys for practical advice on how to minimize the business risk (even though you’ll see below that it can’t be eliminated).
Related to this are a couple of fundamental disclaimers: I am not an attorney (I don’t even play one on TV), and you must not take anything in this article as legal advice.
Point #1: Ignore screams of “we’re not compliant!” While non-compliance for your company is very likely to be true in the abstract, if you are perfectionist in the interpretation of GDPR everyone is non-compliant. There is no product that can make you compliant, there is no consultant who can guarantee compliance, there doesn’t appear to be a “seal of approval” that certifies compliance, and I would be stunned to find an IT vendor willing to indemnify you if you are non-compliant. (You might be able to get some coverage under your corporate insurance policy, however.) So start with triage and work on the killer risks first.
Point #2: CRM systems, marketing automation systems, and websites are ground zero for GDPR issues. These systems hold lots of information about people, and they are virtually certain to not hold any data about their citizenship. So these systems need to start holding opt-in information and other metadata needed to enable GDPR compliance, and synchronizing this data so all your processes act consistently. Your website registration forms need to provide special pathways for European citizens (to make sure they are exposed to all the right disclaimers, notices, and check boxes) while exempting people who claim they are not European citizens (so they aren’t burdened with irrelevant information and options). While working on these centralized systems, realize that there’s a decentralized risk that’s even greater … we’ll get to that.