According to a survey conducted by storage software vendor Veritas, 2 in 5 or 40% of what the EU calls “data subjects” (and what the rest of us call people) plan to request businesses to tell them what data they have within the first six months after the GDPR goes into effect later this month.
Even if the 40% turns out to be 10%, that is going to be an amazing hardship for businesses.
Under GDPR, businesses have about 30 days to provide that information. They need to figure out which John Smith is requesting the data, on what systems (local, in the cloud and with vendors) they have that person’s data, collect and format that data in a manner that is consistent with the GDPR requirements and deliver it. All within less than 30 days.
Which companies have to deal with GDPR?
In general, companies that collect data on EU people – customers or just people who visit their website.
Different companies face different risks. The companies at the highest risk are those located in Europe. Those are followed by ones that have operations (business units) in Europe. At the lowest risk are companies based in the U.S. who may interact with a few EU data subjects.
Other responses from the survey include:
- 56% plan to approach financial firms with data privacy requests
- 48% plan to approach social media firms
- 46% plan to approach retailers
- 24% plan to approach employers and
- 21% plan to approach healthcare providers
- 65% of those who plan to contact these businesses will ask for access to the data those companies have
- 71% of those who contact businesses will ask them to delete the data
Information for this post came from Computing.co.uk .
Based on that, what should you do?
First, if you live in the US, this doesn’t apply to you unless a company chooses to voluntarily do that.
BUT, if you are a business and you have customers in the EU or have a division in the EU and you have not already started working complying with the rules, you likely will not be able to comply by the May 25th deadline.
What we don’t know is what the EU regulators plan to do.
Given there are tens of millions (or more) of businesses, the odds of any one business getting zapped are low.
UNLESS someone or more than one complains about you to the regulator.
And we don’t know how many resources each regulator plans to allocate to this process.
It will certainly be interesting to watch. Unless you are the one that the regulator picks on.