| You're completely wrong. Just for starters, you will need to decide which data you have to process and which is optional. Some data will need to be kept for compliance purposes. How much anonymization will be applied. What data is in every single internal db in your org? Do you even know of all the internal dbs? Each data will have to be tagged with the collection basis, either legitimate interest or consent. The GDPR is also -- as I've complained on here before -- less of a regulation and more of a framework for 30-odd individual country privacy regulators. Some parts of the GDPR, eg on consent, are laid out in black and white. Other parts aren't at all. And the EU wankers have declined to issue final guidance on the latter even by this date, less than 3 months from the compliance deadline. There's also cute stuff in there like if you have more than 250 employees or engage in "widespread processing of personal data" (widespread processing left, of course, undefined) you will have to hire a Data Protection Officer. Said DPO must be in the EU and report to the ceo. This will be quite a nice cottage industry for EU lawyers. American companies are probably unable to pick a lead regulator and hence will be subject to the individual regulators of each EU country. What happens when some french person (France has a very aggressive privacy regulator) complains to the regulator, and you are dealing with a regulator in a language you don't speak? I hope you enjoy paying legal $600/hour. The GDPR does specify enough around consent (ie all consent-basis contacts must be default opt-out) to make it highly unlikely that any of your email or newsletter opt-ins are compliant. You will have to re-consent all of your marketing emails, and this may come with significant attrition. This will be painful for outbound sales, even outbound sales that currently is very respectful of opt-outs. Data subjects can also do things like request a copy of all data (a so-called Subject Access Request or SAR), request deletion, and even freeze processing, which is supposed to stop processing without deletion. This must percolate through all third party systems, of which most companies will have a lot. Just start with your two mailing systems (transactional + marketing), logs, analytics, billing, salesforce, billing, etc. And as mentioned above, it is required to percolate through internal systems. You will have to have an ugly discussion about backups. Are you going to roll backups at 30 days? That's probably not ideal. But what should happen when a data deletion request is received and that data is, of course, sitting in backups? The short story is this is expensive and painful enough that, if I only had incidental European customers, I'd probably ignore it and close their accounts if they complain. This is very much not GDPR compliant, but as an American company, I'd do it anyway because of the expense of dealing with the above. |