You've no doubt seen a flurry of privacy notice updates in your email in recent weeks. If you've been out of the loop on the newest data privacy regulation in the European Union, the pop-up notices on your familiar sites and tools might offer a clue to the scope of the GDPR regulation's implications. Every business that offers goods or services to consumers living in the EU, or that monitors the behavior of those EU consumers (targeted or inbound marketing) must be compliant with the new General Data Protection Regulation (GDPR) by May 25, 2018. Well, it's after that date, but only about half of the businesses that should be compliant are projected to be ready by the end of 2018. Is your business one of them?
Maybe you're thinking that your business might fly below the radar? Sorry, not likely! If you only do business in the US, then you're probably good for now, however, you should review the highlights, and evaluate your situation anyway, as more countries will be moving to similar protection standards soon. Noncompliance can be costly, with fines up to 4% of your global sales (capped at $23.5 million). We recommend a review of the GDPR elements below, and a common sense view of whether or not your business needs to be GDPR compliant. Some policy changes make sense to develop now, in order to be prepared for further data tightening in the future...
Policy Overview of Changes
Scope: If your company uses or processes data through controllers or processors in the EU, regardless of where the processing actually occurs, you need to be GDPR compliant. Also, if you offer goods or services to EU citizens, or monitor these citizens as part of your data monitoring for business purposes, you need to be compliant. If your business supports another business that works with EU citizens, you need to be compliant because of that connection. Cloud-based processors are also not immune to the GDPR's requirements.
Consent: The biggest process change for consent is the requirement that the privacy wording must be in easy-to-understand terms, in an easily accessible form, with the data purpose attached to the consent. Consent must be clear and distinquishable from other consents related to the business, and be easy to give or withdraw. Note that you'll need to ask for consent for those 16 and over; under age 16 requires parental consent.
Privacy Rights: Under GDPR, EU customers will have some changes in their rights that you must uphold, in order to avoid penalties. Here's a short list:
- Breach Notification: You must notify potential victims of a data breach that may impact their private information within 72 hours of the occurrence or becoming aware of the breach.
- Right to Access: Your data controller must be able to provide to your data subjects (those impacted by your data sharing) confirmation of whether or not their personal information has been processed, where and for what purpose. Copies of this data, if requested, must be provided electronically, free of charge.
- Right to be Forgotten: Also known as data erasure, the data subject has the right to request removal of all personal data, to cease any further dissemination of it, and to halt third parties from using it also. If the use of data is for a public interest (i.e., police or fire), that public interest purpose is weighed in view of the individual's rights/needs.
- Data Portability: Data subjects can request that their machine readable personal data be transmitted to another data controller/firm.
- Privacy by Design: Data protection needs to be a foundation component of new system design, rather than an afterthought. Essentially, this means that your company should plan to only access and retain the data that you absolutely need for your operations, and you should keep that data only as long as you must to complete your organization's work.
- Data Protection Officers: GDPR also requires businesses to have a Data Protection Officer responsible to keep data systems accurate, timely and protected by maintaining specific internal records. If your business regularly and systematically monitors large volumes of EU citizen's data, then periodic EU review of those records will be required. Similar to a compliance officer, this role reports to the highest level of management, and is to be free of conflicts or biases related to these duties.
Why It Matters
Customers expect security and integrity in their interactions and relationships with businesses. If a data breach occurs in your business, your brand will suffer immensely, not only through the immediate mitigation costs, but in customer loyalty. For many small businesses, the loss in brand integrity is irrecoverable. Protecting your customer's data is a key responsibility in return for their business, and their trust going forward. While the GDPR regulations are onerous, they do remind us of that data security mandate on behalf of all of our customers. We recommend the following best practices to manage the integrity of your business data:
- Keep only essential data after the customer's transaction is finished, on a secure server.
- If you use a third-party server or vendor, verify that the processor undergoes effective audits, and is compliant.
- Use a secure network or VPN for all external transactions.
- Evaluate the security of your data and systems by an outside expert at regular intervals.
- For larger businesses, we recommend adopting the Baldrige Cybersecurity criteria to protect your brand, maintain business flow, and to position your systems for the future.
Be aware, be compliant, and deliver high-quality protection to your customers. If you need help evaluating the integrity of your data systems, or designing high performance security solutions, we can help. We use the Baldrige Cybersecurity framework and criteria to help your team to identify, protect, detect, respond and recover from data privacy threats. Start protecting your business today...
Dawn Garcia is Principal and Founder of Pursuit of Excellence LLC, an independent business management consulting firm specializing in service-based businesses; delivering leadership, strategy and execution expertise. Experience the Excellence Driven® System for your business, and achieve the results you need! Every business needs help at some point; great business leaders actually get help when needed, realizing greater returns. When you need help, consult the experts. Our success is your success!