For those of you with European customers, I'm curious, how are you handling GDPR compliance?

What is GDPR?

The General Data Protection Regulation (https://gdpr-info.eu/) that governs how the data of EU citizens is stored and transferred.

Penalties

Could be 10-20 million euros or 2-4% of global revenue (whichever is higher). Yowser!

What does it cover?

Any personally identifying data, name, address, etc., but also cookies and IP addresses used to track activity. Not just the data on your servers, but any data hosted on SaaS platforms (think Salesforce, Dropbox, Google Drive, etc.), in the Cloud (AWS, Azure, etc.) or shared with 3rd parties as well.

What can't you do?

In short, store the personal data of EU citizens anywhere that doesn't adhere the the EUs strict rules either by being a country recognized as complying, or having lots of specialized business agreements in place.

What must you do?

At a very high level that barely scratches the surface (I am not a lawyer)...

• Allow opt outs for cookies, etc.
• Capture explicit opt ins (no pre-checked boxes, no fine print).
• Make sure data is accurate. So if a customer updates their information in one system, make sure it's updated in all your others as well. Not just the data in your databases, but third parties you've shared that data with as well (automated updates and push notifications from your customer master would be prudent), and ensure inaccurate data is never processed.
• Be able to export and share all a customers data (including transactional data), within one month of request. 
• Be able to delete a customer and all records associated with the customer, across all your systems, within a month of request.
• Notify the commission within 72 hours of a data breach of any kind.

I'd love to hear about:

• How you're approaching GDPR compliance.
• Which hosting companies and SaaS vendors have policies in place to support GDPR.
• Your biggest GDPR challenges.

Thanks!