9 Ways to Make Your Small Business Ready for GDPR
The EU promulgated a new regulation called the General Data Protection Regulation (GDPR).
It’s never been more important to preserve and protect consumer data so you really need to ask: Is your small business ready for GDPR? Here are nine things all small businesses should know about GDPR.
What does the GDPR do?
This new regulation protects sensitive consumer data throughout the data processing chain, from collection to storage, dissemination, retention policies, data security, and data transfers between countries.
What happens if we can’t comply?
You will want to do your best to comply because the law has sizeable teeth with penalties up to 4% of global revenue.
We’ve been operating for years with the policies we have in place and we think they’re strong enough. Do we need to change something?
Maybe yes, maybe no. What you definitely need to do is review the policies, procedures, and processes you have in place currently to see if they conform to the changes in the law coming into effect now.
If your business is outside the EU but has customers or targets customers within the EU, your company must comply with the new rules. That’s a change from how it works currently. That’s also the reason why the UK’s proposed exit from the EU will not mean the new regulation has no effect on companies within the UK. If UK companies sell to, or target EU consumers, then those UK companies must comply with the regulation.
Ok, so what kind of changes might we have to make?
The following is a partial list of potential changes to existing processes:
Appoint Data Protection Officers (DPO)
If you do not already have them. This position is a C-Suite level officer or a third-party vendor who performs the DPO obligations and then reports to the C-Suite. However you structure the role, the DPO must stay independent from the IT director or the CIO.
Educate! Educate! Educate!
Train your staff on the proper response regarding requests from customers to access, change, delete, or move their data to another provider. You want staff to respond quickly and accurately the first time, every time.
Review policies and procedures.
Here are a few suggestions: Update consent forms (consumers must give specific consent and must have as much freedom to take away the consent as they have to give it), update privacy notices, embrace best practices like keeping all consumer documentation under lock-and-key at the end of the day. Introduce privacy assessments on all new products/services and the potential impact of each.
Secure those documents.
Research indicates that 25% of all data breaches involve physical documents. Security is the watchword whether the data is in paper format or digital. Consider secure printing, secure archiving, and file-based processing which has built-in audit trails, document integrity verification, and limits on who and how people may access the data.
Adopt data protection practices standard in your industry.
Make sure your systems are easy to follow and maintain.
Human error is a big cause of data breaches. Adopt or revise systems so that they have multi-level authentication and encryption, rugged firewalls, as well as password protected VPNs and Cloud storage.
Develop procedures that immediately respond to the situation when a breach occurs.
Make sure all staff know what has to happen: how do staff report it? Identify the individuals responsible to notify customers and the regulators that a breach has occurred. Identify the individuals responsible for managing social media and other communications. Identify individuals who will make recommendations for changes the business can adopt to avoid such a breach in the future.
Even if your staff do not access data remotely or on mobile devices now, make sure the business’ policies and procedures protect sensitive data no matter where staff have access to it.
This all sounds very expensive. What kind of costs are we talking about?
That’s a good question—and you are not alone in asking it. About 77% of UK businesses already feel this new law adds too much of a financial burden. Another 66% of French businesses and 61% of German businesses believe compliance will mean that they will have to hire new people and make significant investments in new technology and processes.
A good rule of thumb would seem to suggest budgeting at least 4% of your business’ global revenue since that is the maximum penalty amount you will pay if you are not in compliance.
When does the GDPR take effect?
The regulation’s adoption date was April 14, 2016 and the rules go into effect for all EU member states by May 25, 2018. To talk more about this, or anything else, please contact us. We look forward to helping you secure your business’ data.