IDG Contributor Network: Are you ready for the GDPR in May?

[Note: The author of this article is not a lawyer and this article should not be considered legal advice. Please consult a privacy specialist.]

The basic news

The GDPR covers all personal data your company stores on data subjects in the EU – whether or not your company has nexus in the EU. Personal data is defined as data that can be used to identify a person.  It’s similar to the concept of personally identifiable information (PII) that we have in the US, but it is broader. PII typically includes actual identifying elements like your name, social security number, and birthday, focusing mainly on the data required to fake your identity with a lender. Personal data includes what the US calls PII, plus any data that can be used to identify you in any way, which includes things as basic as an email address, online personality (e.g. twitter handle), or even the IP address where you transmitted a message from.

A data subject is the “person” to which the personal data applies. To be subject to the GPDR, the subject must be an EU citizen residing in the EU at the time the data was created. The location of the company or its headquarters is irrelevant. 

There are several aspects of the GDPR, including the requirement of companies to act responsibly in gathering and storing personal data, including making sure that they collect only data necessary to do the task at hand.  For example, if you don’t need to store the data subject’s IP address, don’t store it. You must also privacy into account in all aspects of system design.  The GDPR calls this Privacy by Design.  Some companies will be required to appoint a data protection officer, or DPO. (In this context, data protection is more concerned about privacy than backup and recovery.)