Why Small Businesses Must be Ready for GDPR
The most important change to data privacy regulations in the last 20 years is about to take place. Yet many small businesses are not ready and could potentially face stiff penalties that might cripple them.
The deadline for compliance with the General Data Protection Regulation (GDPR) is May 25, 2018. GDPR is being imposed by the European Union (EU) to protect the privacy of its citizens. But its far-reaching nature will affect any company – even those in the US – that collects, stores and processes any personal information of an EU resident.
Who Must Comply:
- If your business has a presence in an EU country
- No presence in the EU, but processes personal data of European residents
- More than 250 employees
- Fewer than 250 employees but data-processing or storage of personal data impacts the rights and freedoms of EU citizens and includes certain types of sensitive personal data.
That effectively means nearly every company – and especially those with an online presence – must comply with GDPR.
GDPR could impact any business that uses personalization tactics, retargeting, emails, newsletters, deals and discount alerts, as well as contextual ads. That’s because these tactics are based on leveraging personal information.
Businesses must also be aware that any third-party partners they work with are also directly and legally obligated to comply with GDPR. If small business is responsible for passing data to a third-party (such as a CRM system, a bulk mailing application, or an affiliate) they are deemed responsible for how that data will be used. Which means small businesses could be on the hook for fines if their partners aren’t compliant.
The Basics Of GDPR
Under GDPR, personal information is anything that can be used to directly or indirectly identify a person including:
- Name, address and ID numbers
- IP address, cookie data, and RFID tags
- Banking details
- Email addresses
- Posts on social networking sites
- Health, genetic, and medical data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Under the new GDPR rules, EU citizens must give explicit consent to have their personal data stored and processed. That data can also only be stored for “no longer than is necessary for the purposes for which the personal data are processed.”
Additionally, individual personal data must also be portable from one company to another. And EU residents can ask that their data be erased and companies must immediately comply. The only exceptions are other legal regulations requiring businesses to maintain specific data – like health or tax records.
However, GDPR isn’t always explicitly defined. It states companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” may be open to interpretation.
In addition, companies must report any data breaches to supervisory authorities and individuals affected by the breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
Non-Compliance Could be Costly
The penalties for non-compliance are stiff – 20 million euros or 4 percent of global annual turnover, whichever is higher. For some companies that could be in the billions. The GDPR supervisory authority has the power to impose administrative fines based on several factors, such as the gravity of the infringement and whether or not steps were taken to mitigate the damage.
Still, it’s unclear how those penalties will be assessed. The biggest questions center around impact. Will fines differ for a breach that has minimal impact on individuals compared to a breach where exposed personal data results in actual damage? In any case, penalties could cripple small companies or startups.
The consensus is that the regulators will attempt to make examples of voilators early on by aggressively going after them. However, it’s also not defined how those offenders will be exposed to the supervisory board.
Maybe that’s why some question the GDPR’s enforcement reach into non-EU member countries – like the United States. Will the EU be able to patrol, enforce and levy fines on small US-based businesses? In theory, yes. But the legalities are sure to be tested.
Businesses are Unprepared
Most big global brands have GDPR compliance efforts well underway. But smaller businesses are less prepared. A December 2017 survey by Solix Technologies says that 22% of businesses were still unaware that they must comply with GDPR. Thirty-eight percent said the personal data they process is not protected from misuse and unauthorized access at every stage of its life cycle. Half of those surveyed expect to be fined.
Recent data from Price Waterhouse Coopers says that only about 30% of companies have begun to prepare for GDPR. And nearly 62% of US companies will spend more than $1 million preparing for GDPR.The survey also noted that 32% or the respondents said they plan to reduce their presence in the EU. While 26% said they would exit the EU.
The bottom line is that ignoring GDPR or failing to comply may have serious financial consequences for businesses.