New data privacy regulations went into effect May 25, but one month after that, only 20 percent of U.S., UK and EU companies surveyed indicated they believed they were GDPR compliant. Though companies had two years from the date of enactment to fully comply, early adopters rolled out changes prior to the May 25 deadline; sending privacy policy notifications to online customers, subscribers and members.

The General Data Protection Regulation (GDPR) standardizes transparency laws governing how companies collect and store EU citizens’ personal data. The GDPR applies to any company that interacts with an EU data subject, regardless of where the company is located. The widened geographic reach means a vast range of U.S. businesses that previously did not need to comply with EU data protection rules will now be affected by the full scope of the law.

“If your database contains EU citizens, no matter where they live or how many you have, you should get started,” says Paul Elfstrom, PPAI’s director of information technology. “In the long run you’ll have a better handle on your data and reduce the risk of potential fines in the future.”

Elfstrom, who has been implementing GDPR requirements for PPAI, says there are complexities. “Understanding the regulations, system impact, organization impact, customer impact, data entry and exit points, vendor integration points, etc., is not an easy task and it takes time,” he says. “As a progressive organization, I feel we’re taking the necessary steps to protect member and nonmember data. Privacy and security initiatives are an ongoing process and part of today’s normal course of business.”

To help you on your path to GDPR compliance, check out these resources: The official European Commission website has detailed information about GDPR along with associated articles. Also, in January PPB published a comprehensive article on the topic along with a list of actions needed. PPAI has also prepared a white paper; find it at www.ppai.org/GDPR.