What does a European Union law about privacy have to do with your small business?
That might seem like a ridiculous question to ask, but it’s not.
The General Data Protection Regulation, or GDPR for short, went into effect on May 25, 2018. And with privacy issues in the news on a near-daily basis, with the recent Congressional hearings about Facebook and Cambridge Analytica, you can’t afford to ignore the ramifications of GDPR for your business.
You could keep your head buried in the sand – but that’s not a good idea. Here’s what you need to know about GDPR.
GDPR is a law that was designed to standardize data privacy in the European Union’s member countries. It represents a big chance – and a victory for EU citizens, who can now be confident that their data will be secure and that the regulations used to ensure its security are transparent.
On the flip side, EU-based businesses have had to scramble to be compliant with the new rules. The biggest requirement involves Personal Identification Information, or PII. PII is sometimes used as a general term in the United States to describe personal information that companies might collect and store on behalf of their customers.
While PII has traditionally included information like Social Security numbers and addresses, the GDPR expands the definition of PII to include other things. For example:
Web data, including the user’s location, IP address, cookies, and RFID tags
Medical and genetic data, including medical records, test results, and DNA
Biometric data, including fingerprints and other unique identifiers
Racial and ethnic data
Political opinions and orientation
Sexual orientation
In other words, companies in the EU must now protect their customers’ IP addresses and other information collected online with the same care that they would financial information. It further requires that organizations:
Store and process personal data only with an individual’s explicit consent
Hold data for only as long as it is necessary to do so
Destroy stored data upon request
There’s no denying that the implementation of GDPR represents a big change for EU companies.
Think for a moment about the different ways in which you use the data you collect from your customers. The chances are good that you do more with it than you realize.
Organizations in the EU are finding that they institute company-wide changes to be compliant with GDPR regulations. Privacy can impact various departments within an organization, including:
IT
Sales
Marketing
Finance
Operations
Business owners and managers must work together to identify potential privacy problems and security issues and address them to protect the information they have stored. At the same time, they must accommodate incoming requests related to the “right to be forgotten” if customers ask them to delete the data they have on hand.
Your business is based in the United States – and you might be asking the obvious question:
Why should I worry about GDPR compliance?
You may not need to worry too much about it if you have never had a customer who was an EU citizen. However, if you do business in the EU (or cater to tourists from the EU), then you might be impacted by the new regulations.
This is what the GDPR website says about organizations outside the EU:
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
In other words, if you collect data on your website from EU citizens, process payments from them, or hold any personal information belonging to EU citizens, you must adhere to GDPR rules about collecting, using, and storing their PII.
You might not have any EU customers, but even if you don’t it may be worth taking a look at the way you store personal data. There’s no question that there’s a worldwide movement toward increasing privacy protections. Cybercrime is on the rise and criminals are getting wilier every day. Considering the damage that a data breach can do to your bottom line, it makes sense to err on the side of caution.
As you might expect, there are penalties attached to violating the GDPR. The law is meant to be a deterrent and the EU intends for organizations who fail to be complaint to pay a price.
The most likely penalty if you fail to protect EU citizens’ data is a fine. The maximum fine is 20 million Euros, which works out to nearly $25 million in US dollars. The specific rule is €20 million or 4% of the company’s global revenue, whichever is higher.
The harshest penalties are intended to punish companies with the most severe violations, such as violating core concepts or not getting a customer’s consent to process their data. Other fines are organized in tiers. For example, an organization can be fined 2% of their global revenue for things like:
Not having their records in the proper order
Not notifying the authorities of a security breach
Not conducting the required impact assessment
These are serious penalties. You’ll need to take a hard look at your security and data handling procedures to avoid them if you do business in the EU or with EU citizens.
If you do business in the EU or simply want to get your ducks in a row when it comes to protecting your customers’ data., it may be helpful to make a thorough review of your existing data collection and storage procedures to identify potential problems.
You can find detailed information about the GDPR on this website. Depending on your circumstances, you may want to consult an EU lawyer as well.
In the end, remember that GDPR compliance protects you as well as your customers. It can be impossible to protect the digital perimeter of your business from hackers, but the procedures required by the GDPR can give you an extra layer of protection in the event of a breach.