Close this search box.
Close this search box.

GDPR: Act Now Before It’s Too Late

The May 25 deadline for complying with the European Commission’s General Data Protection Regulation (GDPR) is approaching fast—so fast that many small and medium-sized businesses are in a mad rush to get their houses in order.

GDPRThe May 25 deadline for complying with the European Commission’s General Data Protection Regulation (GDPR) is approaching fast—so fast that many small and medium-sized businesses are in a mad rush to get their houses in order.

So are many large companies, but the regulation creates intimidating challenges for SMEs, given their smaller size and resources. In recent weeks, the European Commission (EC) has dispatched a flurry of detailed advisories and even created an exclusive website to help companies prepare for compliance, with special attention accorded the demands placed upon SMEs.

We’ve gone through the advisories to distill critical steps that must be taken now, assuming they have not already been addressed. Most important of all is for CEOs to take GDPR very seriously, as its teeth are razor sharp—irrespective of company size.

Basic Background:

The EC created GDPR to heighten and unify personal data privacy laws across the European Union (EU). All companies doing business in the EU must comply with the regulation. The EC applies a new principle called extraterritoriality to ensure compliance by non-European businesses—even those without a physical presence in the EU. If they “control” or “process” personal data belonging to European consumers, they must comply with the regulation. A data controller comprises both for-profit and nonprofit organizations. A data processor is a firm that performs the actual data processing.

The new regulation broadly extends the EU’s 1995 data protection directive that held businesses accountable for the security of the consumer data they had in their possession. As opposed to the previous passive opt-out acceptance model, companies now must receive written consent from consumers to collect and use their data, and only for a legitimate business purpose. Consumers can withdraw their consent at any time, and once the business purpose for using the consumer’s personal information has been fulfilled, the data must be deleted.

“Before processing a consumer’s personal information—both paper-based and digital data—companies must analyze the related data privacy and security risks.”

These aspects of GDPR loudly resonate following recent disclosures of the harvesting of 50 million Facebook profiles in the continuing Cambridge Analytica scandal. A major objective in drafting the regulation was to give consumers more control over their personal information, insofar as which organizations can use it, when they can use it, and for what purposes. The other primary goal was to create regulatory uniformity across the EU.

Analysis and Monitoring:

Before processing a consumer’s personal information—both paper-based and digital data—companies must analyze the related data privacy and security risks. This rule also applies to consumer data the business may have provided to its vendors, suppliers and outsourcing partners. Additionally, the measures used to secure data, such as encryption in transit and in temporary storage, must be documented. A record of these various activities must be maintained by the organization for delivery to regulators upon request.

For SMEs whose core activity is the systematic monitoring of data subjects on a large scale, GDPR advises these businesses to appoint a data protection officer dedicated to data privacy. Companies not technically mandated to do this should still consider the value of hiring a privacy overseer and having this person sit on the board.

Since new products, services and technologies under development must take GDPR compliance into account from the origination of these plans, having someone in charge—either internally or on an outsourced basis—may be prudent for all SMEs.

Lastly, it is the responsibility of companies in the event of a data breach to inform EU regulators within 72 hours of the event, even though all the details may be unknown or uncertain. Regulators want to know are the nature of the incident, approximately how many people were affected, the potential consequences for these individuals, and the measures taken to date or in the planning stages to respond to the breach.

GDPR’s consequences for failing to address the regulation are gulping. A penalty of 2 percent of annual worldwide revenue or 10 million euros (roughly $12.37 million), whichever is greater, may be imposed on businesses that fail to report the breach within 72 hours. For companies that fail to comply with other parts of the regulation, the penalties are double these amounts.

Had GDPR been in effect the past five years, FTSE 100 companies that experienced a data breach collectively would have been fined more than 25 billion euros (close to $30 billion), according to an October 2017 study.

What To Do Now:

Most SMEs are hopefully well into their preparations for GDPR compliance. For those still at the beginning of this process, we’ve compiled a checklist of tasks to help ensure readiness by the deadline.

  1. Know Your Data. What types of consumer data does the company collect and where does this information reside? Create an inventory of this information that includes the consumer’s name, email, bank details, etc., since the business will need to demonstrate an understanding of the personal data in its possession.
  2. Consider Consent. How does the organization currently receive consent from consumers to collect and use their data? What needs to change internally from a process and systems standpoint to reach out to consumers for their consent and how will this consent be documented for regulatory purposes. What is the process to delete consumer information after its business use has concluded? Start writing up clear policies regarding all of the above and ensure their appropriateness from legal staff or outside consel.
  3. Data Chief. Does the company employ a chief data protection officer? If not, who in the organization will be in charge of data privacy and data security, and what are their respective responsibilities and capacity to achieve these aims? Is there value in creating a multi-functional team to report to these individuals? How does the company currently secure consumer data; broader use of encryption might be needed. The goal is to ensure regulation-ready data privacy and security policies.
  4. Breach Notification. What are the processes to comply with the 72-hour data breach notification rule? How will each of the required responsibilities, such as demonstrating the nature of the breach and how many people were affected, be determined? Who in the organization is involved in these regards and what are their tasks? Consider testing the process to iron out any kinks.
  5. Third Party Obligations. What are the processes to review how vendors, suppliers and outsourcing partners are using the personal data provided them? How can the organization ensure these organziations are GDPR-ready? For instance, contract terms and conditions may need to change to obligate them to immediately report the incidence of a data breach.

The bottom line for CEOs of midsize and smaller companies that conduct business in the European Union is that GDPR readiness may be difficult, but the likelihood is that similar rules will hit U.S. shores at some point. This gives them a leg up on domestic competitors currently free from compliance. And if you are unsure about GDPR compliance in the UK then have a look there as they offer everything that you need. Better now than later.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.