The General Data Protection Regulation (GDPR) compliance deadline came and passed in May 2018. How did your organization do?
Are you feeling like you have met the compliance standards and are adequately protecting users’ personal data and informing them of their rights under the guidelines? Have some of the GDPR requirements been confusing or simply difficult to meet? Are you reading this article and realizing you’ve never heard of GDPR before?
Undoubtedly, the GDPR changed the way businesses operate online. Every time you visit a new website and it gives you a pop-up asking if you want to accept cookies, the GDPR is making its presence known. Small and mid-sized businesses (SMBs) may not think the standard applies to them, but often, it does and they aren’t prepared—even after the compliance deadline has passed. Research from TrustArc published in June found that just 20 percent of responding organizations are GDPR-compliant.
Compliance with GDPR is important not only because of the threat of fines and regulatory action (which we’ll get to in a bit), but also because the data privacy the standard sets forth is becoming an expectation with consumers. Here is some more advice on navigating the GDPR waters:
What Is GDPR?
The GDPR was designed and implemented by the European Union to strengthen data privacy for its citizens. The idea behind it is that personal data is property, and an individual has a right for that property to be protected by the organizations the individual interacts with. The standard far supersedes the provisions of the EU’s Data Protection Initiative in 1995.
Adopted in 2016, the GDPR took effect May 25, 2018, although enforcement actions in the forms of investigations and penalties have not yet occurred this early into the standard. Key provisions of the standard include:
- Mandatory notification within 72 hours to customers about data breaches
- Enhanced data privacy protections
- Removal of customer data upon request
- Customers’ right to access the data an organization is keeping about them
And the penalties should be noted: Companies in violation of the GDPR can face administrative fines of 20 million euros. The prospect of such large penalties is what had larger companies scrambling before the deadline.
Why Does the GDPR Apply to My Business?
North American SMBs might think themselves immune to the effects of the GDPR, but for many businesses, that’s a false assumption. If you do any commerce in Europe—even if it’s just someone in the EU going online to order your product—you are subject to the GDPR. One European on your email list is enough to mandate GDPR compliance.
The standard’s fines look scary, of course, though how those fines will be applied to and enforced with American companies remains to be seen. That said, being in violation of the GDPR can interfere with your ability to conduct business in the EU. Moreover, as already stated, consumers are expecting—even demanding—that companies care for their personal data. A breach combined with noncompliance is simply bad business. Data privacy laws in the U.S. appear headed in the GDPR’s direction, and laws such as HIPAA are practically already there, so getting on board with the standard now puts your SMB ahead of the curve instead of constantly chasing it.
Whether you have already made baby steps toward GDPR adherence or seem miles away from meeting the standard, you can take action to get closer to compliance, including:
- Familiarizing yourself with some of the finer points of GDPR terminology and requirements
- Conducting a data audit to discover what data you hold and how you are using it
- Classifying data and identifying what customer info is sensitive and what doesn’t pose a risk
- Determining which users have access to which customer data
- Making opt-in forms and cookie consent GDPR-compliant
- Monitoring email archiving and data backup
- Training IT staff and other key stakeholders on GDPR compliance
- Developing a data breach response plan
This list may appear lengthy, but SMBs are already doing some of the items on their own or with the help of a managed service provider and/or third-party solutions. Take a deep breath—it’s going to be all right …
The need to keep customer data safe is an impetus behind the GDPR and part of the rage consumers feel when they read about yet another data breach. Implementing strong IT security measures is a recommended strategy to keep from running afoul of the new guidelines. Multi-layered solutions protect customer data wherever it resides or whatever it’s being used for. Email encryption delivers security in transit to and from your servers. Top-notch IT security solutions monitor your systems and automatically take actions when threats are present.
The best strategy for a data breach is never to have one. Being proactive with cybersecurity can help with that goal, which has become all the more critical in the age of GDPR.