How Does the General Data Protection Regulation Affect Your Business?

U.S. businesses are becoming concerned about the General Data Protection Regulation that the European Union Parliament approved in April of 2016. The GDPR comes into effect next month on May 25, 2018. Even though the GDPR is a privacy policy for the EU, U.S. businesses will be affected, and they need to know how to prepare to protect both their customer base and themselves.

What is the GDPR?

The GDPR is regulation meant to ensure that businesses respect the online privacy of EU residents. This is the European Union’s legal framework to force companies to provide effective and practical data protection for their customers’ personal data. This will affect how businesses can collect, store, and use that data. The EU also intends to use the GDPR to establish a single European market.

Does GDPR Compliance Apply to My Business?

The GDPR applies to all businesses that sell to and store personal information about citizens in Europe. Personal data includes any information related to a person such as names, photos, email addresses, bank details, and computer IP addresses. If your company collects this kind of data from EU citizens – regardless of where the data is processed – GDPR compliance applies to you.

How Should Businesses Prepare for GDPR Compliance?

At a minimum, your company should appoint a data protection officer or controller who is responsible for GDPR compliance. The EU intends to fine offenders either 4% of global revenue or 20 million Euros, whichever is greater.

Unfortunately, complying with the GDPR is not a straightforward, simple task. There are no shortcuts or checklists. Companies will have to involve employees in different roles, including their security, legal, privacy, operations and infrastructure departments. This is not just an issue for your IT department. GDPR compliance will likely change, too, as other countries enact their own privacy laws.

Nymity, a GDPR compliance resource, advocates adopting Structured Privacy Management which is broken down into three components:

  1. Responsibility: Appropriate technical and organizational measures have been identified and are implemented and maintained on an ongoing basis.
  2. Ownership: An individual (or function or business unit) is answerable for the management and monitoring of technical and organizational measures
  3. Evidence: Documentation is produced as a result of implementing technical or organisational measure and that can be used as evidence of accountability and compliance.

Employee privacy training will have to be ongoing as well. Not only must all employees handling personal data be trained in maintaining security, but they also must be trained in how to respond quickly and professionally to data breaches so that any damage can be minimized and they can inform customers in a timely way. This of course requires that companies create a formal process for dealing with data breaches before they can train their employees in its implementation.

Another complication is that many of the particulars of GDPR implementation are gray right now. No company is an expert yet, and it remains to be seen how the EU will enforce their regulation. That does not mean your business should ignore it until there’s a problem.

For further help on the practicalities of GDPR compliance, here is Hubspot’s compliance roadmap for reference. And here are some more preparation specifics from Imperva.

While all of this may seem like an enormous hassle and cost for businesses, restoring individual privacy and safety to internet users benefits almost everyone in the long run. Privacy standards are currently too weak, and individuals are at risk both personally and financially. Consumers are now used to having their privacy compromised and their data breached. They are also becoming distrustful of websites who gather and sell their data. Building and maintaining customer trust is a crucial task for any business that wants to be successful over time, as is gathering data. Facebook is finding out how expensive it is to lose their customers’ trust. Don’t let this happen to your business. Make arrangements now to comply with the GDPR.