Identify and document where all your data is held and how it is processed. GDPR applies to all personally identifiable information.
"It's important to make sure that US clients are aware of, and understand that 'personally identifiable information' is not the same as the 'personal data' term that is used in the GDPR," says Voisin.
“The term 'personal data' is broader and covers information such as online identifiers, device IDs, cookie IDs, IP addresses, RFID tags. We are seeing a real gap of understanding about this, particularly between the EU and the US, so it's important these issues are ironed out."
Any such data obtained prior to the regulation can still be retained if it is in-line with the new rules.
"If it has been obtained lawfully under the current directive, companies can continue using it," says Tobias Guenther, senior legal counsel and data protection officer for Mapp Digital.
"Consents given under this directive will also not necessarily be invalid. The GDPR states that consents do not need to be obtained again or confirmed by consumers, provided they conform to the GDPR requirements."