We’ve been hearing for months the ramifications that the EU General Data Protection Regulation (EU GDPR) will bring to all companies that do business in the European Union now that the May 25 deadline has come and gone. But, it’s less clear how these will affect small and midsize businesses (SMBs). What is clear is that the penalties for non-compliance will be severe for companies of all sizes. But, how can those that don’t have millions of dollars in revenue prepare for this change without making drastic upgrades like hiring a compliance officer?
When you think about it, a significant element of GDPR focuses on cybersecurity. They are looking to make companies accountable for their access and handling of a customer’s personal data. The fears of a cybersecurity incident were already high for companies, but they have become even more worrisome when you consider that a data breach violation under the new GDPR regulation could result in a fine as high as millions or four percent of annual turnover. For SMBs, that cost is business-ending. One way for SMBs to handle the new compliance requirements is to think of GDPR as another step in their cybersecurity protocol. One that puts their businesses and customers first.
There are specific steps SMBs can take to ensure they are complaint with the regulation and a few of the most important include:
Have a data process in place
Understand what you are collecting, how you collected it and with whom you are sharing that data. Also, take the time the time to evaluate the data that you are collecting from your customers and decide whether under the new regulation if it’s still necessary that you collect and keep that data. The responsible collection of data is the reason GDPR was created so it’s now critical that your process is obvious to your employees and your customers to ensure compliance.
Be able to share that data process with customers
Under the new regulation, consumers are able to ask that certain information is not collected or shared. Be prepared to receive these types of requests by having a customer’s data ready to share with them should they ask. More importantly, be prepared to do this in a timely manner. You now only have one month to meet these requests, but if you have your data process is efficient, you should be able to do this much faster.
Establish your company’s “lawful basis” for data processing
Offering opt-out data sharing options are no longer good enough under the new regulation. Instead, GDPR requires that you establish a “lawful basis” for processing a consumer’s personal data. This means that you need to have options that allow consumers to choose how long they want their data used by your company and for what purposes that data can be used. It’s important that your customers can easily check their data selections and adjust how their data is processed should their wishes change. Additionally, it’s also important that you be able to describe how it will be used in great detail as customers now have the option to select a narrow use of their data versus the more general use that they were used to before. Take the time to review your data use descriptions and make sure that they still accurately reflect how you are using that data and make adjustments if you can be more specific.
Prepare for the worst – a data breach
You will now have 72 hours to notify the proper authorities that a data incident has occurred. This means that there isn’t time for you to think of how to handle this once it’s happened. To be prepared for what seems like the inevitable in today’s world, your company needs to have an easily-enacted process. All employees within the IT and security departments need to know where this process is, know who internally to notify once they notice an incident and then begin following said process exactly. Do not leave any room for error as this could lead to a massive compliance fine and losing trust from your customers.
SMBs are the most vulnerable to the effects of the new GDPR regulation because they don’t have the same resources or ability to hire data protection officers like large enterprises can. However, if you ensure that you are meeting the policies and framework laid out in the laws, should a data breach incident occur, the fines incurred will be less severe and will not end your business. To ensure that you are in a position that you do not incur expensive fines, your team must follow specific steps that show that your company is taking the collection of customer’s personal data seriously and have extensive documentation to prove that.
This article was written by Justin Dolly from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to firstname.lastname@example.org.