The May 25 deadline for complying with the European Commission’s General Data Protection Regulation (GDPR) is approaching fast—so fast that many small and medium-sized businesses are in a mad rush to get their houses in order.
So are many large companies, but the regulation creates intimidating challenges for SMEs, given their smaller size and resources. In recent weeks, the European Commission (EC) has dispatched a flurry of detailed advisories and even created an exclusive website to help companies prepare for compliance, with special attention accorded the demands placed upon SMEs.
We’ve gone through the advisories to distill critical steps that must be taken now, assuming they have not already been addressed. Most important of all is for CEOs to take GDPR very seriously, as its teeth are razor sharp—irrespective of company size.
The EC created GDPR to heighten and unify personal data privacy laws across the European Union (EU). All companies doing business in the EU must comply with the regulation. The EC applies a new principle called extraterritoriality to ensure compliance by non-European businesses—even those without a physical presence in the EU. If they “control” or “process” personal data belonging to European consumers, they must comply with the regulation. A data controller comprises both for-profit and nonprofit organizations. A data processor is a firm that performs the actual data processing.
The new regulation broadly extends the EU’s 1995 data protection directive that held businesses accountable for the security of the consumer data they had in their possession. As opposed to the previous passive opt-out acceptance model, companies now must receive written consent from consumers to collect and use their data, and only for a legitimate business purpose. Consumers can withdraw their consent at any time, and once the business purpose for using the consumer’s personal information has been fulfilled, the data must be deleted.
“Before processing a consumer’s personal information—both paper-based and digital data—companies must analyze the related data privacy and security risks.”
These aspects of GDPR loudly resonate following recent disclosures of the harvesting of 50 million Facebook profiles in the continuing Cambridge Analytica scandal. A major objective in drafting the regulation was to give consumers more control over their personal information, insofar as which organizations can use it, when they can use it, and for what purposes. The other primary goal was to create regulatory uniformity across the EU.
Analysis and Monitoring:
Before processing a consumer’s personal information—both paper-based and digital data—companies must analyze the related data privacy and security risks. This rule also applies to consumer data the business may have provided to its vendors, suppliers and outsourcing partners. Additionally, the measures used to secure data, such as encryption in transit and in temporary storage, must be documented. A record of these various activities must be maintained by the organization for delivery to regulators upon request.
For SMEs whose core activity is the systematic monitoring of data subjects on a large scale, GDPR advises these businesses to appoint a data protection officer dedicated to data privacy. Companies not technically mandated to do this should still consider the value of hiring a privacy overseer and having this person sit on the board.
Since new products, services and technologies under development must take GDPR compliance into account from the origination of these plans, having someone in charge—either internally or on an outsourced basis—may be prudent for all SMEs.
Lastly, it is the responsibility of companies in the event of a data breach to inform EU regulators within 72 hours of the event, even though all the details may be unknown or uncertain. Regulators want to know are the nature of the incident, approximately how many people were affected, the potential consequences for these individuals, and the measures taken to date or in the planning stages to respond to the breach.
GDPR’s consequences for failing to address the regulation are gulping. A penalty of 2 percent of annual worldwide revenue or 10 million euros (roughly $12.37 million), whichever is greater, may be imposed on businesses that fail to report the breach within 72 hours. For companies that fail to comply with other parts of the regulation, the penalties are double these amounts.
Had GDPR been in effect the past five years, FTSE 100 companies that experienced a data breach collectively would have been fined more than 25 billion euros (close to $30 billion), according to an October 2017 study.
What To Do Now:
Most SMEs are hopefully well into their preparations for GDPR compliance. For those still at the beginning of this process, we’ve compiled a checklist of tasks to help ensure readiness by the deadline.
- Know Your Data. What types of consumer data does the company collect and where does this information reside? Create an inventory of this information that includes the consumer’s name, email, bank details, etc., since the business will need to demonstrate an understanding of the personal data in its possession.
- Consider Consent. How does the organization currently receive consent from consumers to collect and use their data? What needs to change internally from a process and systems standpoint to reach out to consumers for their consent and how will this consent be documented for regulatory purposes. What is the process to delete consumer information after its business use has concluded? Start writing up clear policies regarding all of the above and ensure their appropriateness from legal staff or outside consel.
- Data Chief. Does the company employ a chief data protection officer? If not, who in the organization will be in charge of data privacy and data security, and what are their respective responsibilities and capacity to achieve these aims? Is there value in creating a multi-functional team to report to these individuals? How does the company currently secure consumer data; broader use of encryption might be needed. The goal is to ensure regulation-ready data privacy and security policies.
- Breach Notification. What are the processes to comply with the 72-hour data breach notification rule? How will each of the required responsibilities, such as demonstrating the nature of the breach and how many people were affected, be determined? Who in the organization is involved in these regards and what are their tasks? Consider testing the process to iron out any kinks.
- Third Party Obligations. What are the processes to review how vendors, suppliers and outsourcing partners are using the personal data provided them? How can the organization ensure these organziations are GDPR-ready? For instance, contract terms and conditions may need to change to obligate them to immediately report the incidence of a data breach.
The bottom line for CEOs of midsize and smaller companies that conduct business in the European Union is that GDPR readiness may be difficult, but the likelihood is that similar rules will hit U.S. shores at some point. This gives them a leg up on domestic competitors currently free from compliance. Better now than later.