NOTE: This article is intended to inform our readers about the current data privacy and security challenges experienced by companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.
No matter your views on regulatory and governing bodies as a whole, I think we can agree that the world finds itself at a tipping point regarding personal data and the internet.
According to a survey from IT Security Central and the Breach Level Index, nearly two million data records are lost or stolen over the course of a single work day. Two billion people willingly hand over data to Facebook every day, and nearly 90 million of them were affected by the Cambridge Analytica scandal.
As a society, we’ve come to the rapid and jarring realization that the misuse of our data isn’t limited to spam calls and credit card theft. Personal data in the wrong hands can sway national elections and international politics.
Enter the General Data Protection Regulation (GDPR), the European Union’s updated personal data privacy law.
If nothing else, GDPR is an attempt to assign responsibility to someone—or, in most cases, some business or corporation—when something goes wrong with our data. At its basis, it establishes an EU citizen’s right to expect that their data will be reasonably managed and protected.
And if it isn’t, it also establishes an EU citizen’s right to expect consequences for bad and negligent actors.
If you read that and thought, “This only applies to European companies,” guess again. The GDPR applies to any company that collects an EU citizen’s personal data.
Complying with GDPR is going to require lots of hard work. And finding yourself in noncompliance will result in hefty fines that could very well put you out of business.
I’ll go into more detail about the consequences of noncompliance below, but first, it’s imperative that you understand the basics of GDPR and how it applies to your business.
I’ll answer some frequently asked questions about GDPR, as well as give you some information about how your IT team can help you prepare for GDPR with better database management and cybersecurity so you won’t find yourself blindsided.
FAQs about GDPR
It’s hard to get used to any new regulation, but GDPR is actually a simplification of an older set of rules: Directive 95/46/EC. In addition to being harder to abbreviate, the argument is that this directive was harder to comply with, as it gave each EU member country some wiggle room to interpret data protection differently.
GDPR helps bring all the rules from these various countries under the purview of one mandate and one regulatory body.
But enough European legal history. Let’s get to the future of the internet as we know it.
What is GDPR?
The GDPR (the European Union’s General Data Protection Regulation) gives EU citizens more control over their personal data and how it’s used by third parties.
In short, if you’re collecting personal data from citizens in the European Union, you’ll have to follow strict guidelines about what data you’re collecting, how you manage that data, and how that data is stored and protected once it’s in your company’s possession.
When does GDPR go into effect?
Friday, May 25, 2018.
So you need to put the last touches on your compliance efforts now.
Who does GDPR apply to?
If your business offers goods or services to EU citizens, you’re subject to GDPR. The end.
“Aha!” you might say. “I offer my goods and services free of charge, so GDPR doesn’t apply to me, right?”
Wrong. Even if no money changes hands, you’re still subject to GDPR.
That means that most large corporations will be affected by these new regulations. However, these rules even trickle down to freelancers and independent bloggers. One example of the widespread effects of GDPR: If you have mailing lists for newsletters or promotions, and some of your prospects or customers are EU citizens, GDPR applies to you.
It’s estimated that more than half of U.S. businesses will be affected by GDPR.
How does GDPR affect your business?
Depending on how your business currently handles its customers’ personal data, you could be looking at a lot of work to ensure that you’re compliant with GDPR.
If you’re handling any EU citizen’s data, you’ll need to rethink how you’re collecting, storing, and protecting it, which could have a ripple effect on how you collect, store, and protect all of your customers’ data.
From my perspective covering small business IT management, the biggest change coming for companies responsible for GDPR compliance is the liability you’ll face for data breaches.
Depending on the scale of the breach, preventative and retroactive actions taken, and whether you disclosed the breach within 72 hours of its occurrence, you could be subject to fines of up to €20 million (about $24 million) or four percent of your business’s annual global revenue.
I’m not trying to be a fearmonger with this point, but I think it serves to illustrate the seriousness of GDPR compliance. While €20 million is the maximum fine for, presumably, the maximum crime, smaller mishandlings of data could result in smaller fines of €10 million (nearly $12 million), which is hardly a small fine for small businesses.
The good news is that, once you’ve gone through the effort of becoming GDPR-compliant, the new regulations should help streamline data handling for EU citizens.
Instead of keeping track of its 28 member countries’ data protection laws, your company will have to comply with only GDPR, and everything associated with the new regulation will be overseen by a single supervising agency.
How can your IT department help with GDPR compliance?
Before we get into the specifics of the role your IT department can play in GDPR compliance, let me say that responsibility for complying with the new EU regulations shouldn’t fall solely on IT.
Especially when it comes to collecting customer data, for example, your sales and marketing teams should be cognizant of how these new rules affect them and how they conduct and manage their campaigns.
However, when it comes to storage and protection of personal data, that’s where IT can help direct your compliance efforts.
Data storage and handling
GDPR mandates that you appoint a data protection officer (DPO) if your company practices “regular and systematic monitoring of data subjects on a large scale.”
Fun fact: Both “regular and systematic monitoring” and “large scale” are up for debate in terms of when one or both metrics require you to appoint a DPO.
However, if you have any customers in the European Union and you’re tracking their online behavior to serve targeted ads or promote algorithmically determined products to them, you should consider bringing a DPO on board.
Even if you don’t meet this criteria, I’d still suggest that your company start thinking differently about how it handles data—Mark Zuckerberg’s testimony in front of Congress signals that U.S. regulation of personal data handling will be coming down the pipeline in the near future.
And to be frank, a lot of the things that DPOs will be responsible for are things your company should be doing anyway, even if only to protect your proprietary data.
So what can you do to make sure your data is properly stored and managed?
1. Educate all your employees about data best practices
Data governance encompasses all aspects of data management
Even if you don’t have to hire a DPO, I suggest you go ahead and establish a data governance committee. Part of their job will be to establish data management standards and educate all employees on data best practices.
Plus, if you think you’ll have to consider GDPR compliance in the future when your company grows or expands internationally, you’ll already have a cross-team group set up that’s familiar with compliance laws.
I’ve written a more in-depth piece on data governance, so head over there for more tips on how to create your committee.
2. Restrict data access to very specific employees and roles
In a perfect world, employees would always handle data according to best practices. But that’s not the world we live in. While you should make every effort to educate employees about those best practices, it’s also best practice to restrict access to sensitive data to only employees who absolutely need it.
Setting up identity management software can help you restrict access to databases or specific data sets within a database.
3. Find out what data you have
This might sound like the easiest part of this process, but, according to a survey from Veritas, over half of the data that organizations hold is “dark” data … meaning they have no idea what it contains, if they’re even aware that they’re holding on to it in the first place.
My colleague Tirena Dingeldein has a great explanation of how dark data and “databergs” are damaging for business, as well as some in-depth tips for how to find and mine them.
Take a look at data mining software to get a handle on what data is lurking in the shadows, and talk to your IT team about possible locations of dark data.
4. Back up your data
GDPR ensures that EU citizens have the right to request access to their data, as well as request that a company transfer ownership of or delete their data. For that reason, it’s imperative that you back up your data to ensure that it’s on file if or when your EU customers request it.
I’ve already written about some great options for backing up your small business’s data here, so I’d suggest checking that out. Bottom line, you should invest in business continuity software to ensure that your data is always backed up and available.
Discuss best practices for backup schedules and backup storage with your IT team, as every company’s needs will be different.
Another way your IT team can help you get ready for GDPR is in the cybersecurity arena.
No company wants to get hacked, but it happens. In fact, it happens successfully two times per week, and that’s not considering the thousands of thwarted attempts your security team fends off.
Under GDPR, companies are required to report data breaches involving personal data directly to those affected within 72 hours of detecting it, or face hefty fines.
By requiring direct communication with victims of data breaches, along with such severe consequences for failures to report them, the hope is that some rapid and dramatic cybersecurity innovations will take place.
Even if you’re not legally required to comply with GDPR, you should act fast when it comes to beefing up your IT security staff. The job market is already ridiculously competitive.
Ready or not, GDPR is happening
Whether you like the idea of GDPR or not, you’ll be responsible for adhering to it starting May 25 if you hold any personal data on EU citizens.
My guess is that, if GDPR proves effective for the European Union in preventing cyberattacks or giving citizens more of a sense of control over their personal data, other countries will adopt similar policies.
Consider the United Kingdom, for example, which has already stated that it will adopt similar laws regarding personal data after Brexit. It’s the largest market in the world for U.S. service exports.
And if your company ever wants to expand, the United Kingdom’s large economy and population of English-speaking consumers makes it one of your best bets as an American company.
Put aside your feelings about international business regulations and consider the fact that backing up and protecting any and all business data, personal or not, is already considered best practice. Transparency with your customers, including on issues such as data breaches, is recommended so that affected customers can take appropriate action to prevent further data theft.
Organizations such as Facebook are already providing more information on what data they collect on their users. That’s not a widespread business practice yet, but it might be after Zuckerberg’s congressional hearings.
So whether you’re taking measures for GDPR compliance or for the betterment of your business, go and protect your data, and respect your customers’ right to data privacy and transparency.