There’s a lot of uncertainty surrounding the new General Data Protection Regulation (GDPR) affecting the European Union; the impact it will have on businesses inside and outside of the EU and the specifics on ensuring compliance remain a little foggy, even as May 25th quickly approaches. But it’s certainly troubling that many business managers and C-level executives at small to medium-sized businesses don’t know what it is or if it applies to them. If you fit in this group, now’s the time to review the requirements laid out by the new regulation and examine the data protection measures you currently have in place, whether or not the GDPR applies to you.

GDPR_compliance_0

The Fast Facts

The “most important change in data privacy in 20 years,” the General Data Protection Regulation was designed to make privacy laws across Europe consistent while better protecting citizens’ data and privacy rights.1 It becomes effective on May 25th, at which point businesses face fines if they are not compliant with what the regulation sets forth. You can read the full text of the regulation, but here are a few noteworthy fast facts about the GDPR and what it covers:

  • The GDPR has an increased jurisdiction that makes the regulation apply to any company processing the personal data of EU citizens, regardless of where the company itself is located
  • Fines and other penalties for those not complying apply to both data controllers and processors
  • Conditions for consent can no longer be lengthy and illegible or contain confusing legalese; they must be easily understood by those who need to review and agree or disagree to them
  • EU citizens have the right to be notified of data breaches in a timely manner and have the right to access their personal data or be forgotten by those who hold their identifiable data
  • Businesses—even those with fewer than 250 employees—must keep internal records of data processing activity
  • Data systems must be developed with privacy by design
  • Companies that conduct large-scale personal data monitoring or processing should have a data protection officer

What GDPR Means for SMBs

Regardless of its impact on your business and the people you serve, the GDPR comes at a good time for today’s SMBs because it serves as a reminder of the critical importance of protection and security in the age of big data. Collecting, handling, reviewing, and sharing data comes at a price for all parties involved, but increasingly the public demands more responsible control over their personally identifiable information and more transparency regarding the use of their data. Many small companies also fail to recognize the safety of their own internal data, overlooking storage, backup, and recovery issues or holding onto outdated practices that present great risks.

For SMBs, GDPR means getting your act together—appointing leaders to own the implementation of your data protection measures, developing a strategy with clear action items and recovery processes, reviewing your IT environment and updating your storage and protection needs, working with a service provider to ensure proper data security setup and ongoing maintenance. If you don’t have all the answers, take the time to nail them down so you can keep your team safe, your business in operation, and everyone’s data fully protected.

To keep things optimistic for those feeling overwhelmed, remember that the GDPR is helping all of us work toward a safer, more productive market for businesses and consumers. Improved conditions for consent will bring more qualified leads to your door, the public’s trust in companies will rise, and you won’t waste time and money marketing to people who don’t want your products or services.

Still left with questions about the GDPR and why it’s a groundbreaking regulation? See if your questions are answered in the interview below with two leading IT experts.

Hear from the Experts

Razor Technology, an end-to-end IT and cloud solutions provider, and Layer 8 Security, a comprehensive cybersecurity services company, work together to offer security solutions for modern business owners looking to manage their risk, meet compliance standards, and maintain operational efficiency. We spoke with experts from both organizations about some of the most important elements of GDPR, how SMBs can prepare to comply with the new regulation, and how today’s business leaders can weather new data privacy changes in a fast-paced world.

Tom Reynolds, Director of Technology Solutions at Razor Tech, and Kevin Hyde, Managing Director at Layer 8, weighed in:

What are your thoughts on how the EU GDPR will empower citizens’ data privacy and reshape the way organizations approach data privacy?

Tom Reynolds: With the current state of Facebook and data mining, data protection and privacy are at the front of everyone’s mind. A codified law surrounding these issues steps it up for people, in a way. It’s a much bigger concern now that the public expects and deserves higher privacy standards.

Kevin Hyde: GDPR will have a significant effect on both the public and today’s businesses because this regulation is more all-encompassing and stringent than previous efforts to enforce data protection. There’s still so much guesswork involved for companies when it comes to finding the best ways to comply, but it’s great for citizens. I’d love to have my data protected the way EU citizens’ is protected. We’re thinking that this regulation is the start of a movement that will work its way around the globe.

What constitutes “personal data” today and how does the definition affect GDPR compliance?

TR: The idea of what personal data is has greatly expanded over the years to be a whole host of things considered personal and private, such as browsing history and purchase history. Due to the advent of data mining, the commodification of data, and the practice of big data analytics, companies can get deeper into the private lives of the public. The definition of personal data has to expand and grow with these new practices to reflect the state of things.

KH: The definition is highly projective. Some people consider a name and an address to be personally identifiable information (PII), and typically we say that PII is criteria that creates a personal profile of an individual. But PII is considered to be something that is an aggregation of data. Regardless, the term is vague and the GDPR is keeping it vague so that entities might be pushed to enable too much protection rather than too little.

What is the value of strengthening conditions for consent and discouraging the use of long, illegible terms and conditions and legalese?

KH: Protecting the individual’s privacy rights through strengthened conditions is clearly better for the consumer, but it opens up potential liability issues for companies if they don’t disclose enough. A lot of companies use third-party vendors as part of their service offering, but these parent companies could come into contact with EU data and need to do a better job of vetting and managing their vendors. The GDPR will make management more complicated, but it’s good that businesses will take on the increased level of responsibility that they should.

TR: I second everything Kevin said, but want to reiterate that ideally for consumers, the days of not being able to understand conditions for consent should be gone, and the GDPR will help facilitate this.

Can you explain the term “privacy by design” and how it applies to data protection solutions and SMBs?

KH: The GDPR requires that privacy be included in any design considerations and in the work of any service provider, whether a controller or processor. This concept is something those of us working in IT are already familiar with, but any SMB using a management program should also maintain these ways of thinking and have privacy by design practices in place. Privacy by design means privacy is not a bolted-on piece; it’s an intrinsic property of how a program operates.

What are some ways SMBs can prepare to comply with the GDPR?

KH: Companies need to have some mechanism through which data is accessible and they need to go beyond what was acceptable in the past to ensure GDPR compliance. If a company is unsure about what level of protection they need or how to get started, they should work with a data protection solutions provider to meet compliance needs. We approach GDPR compliance for our clients by first reducing the scope of what a company is responsible for: find the minimum requirements that apply to your business, learn what it takes to pull and provide data to individuals, establish a way of knowing if data gets out into the wild. GDPR requirements are really the basic building blocks of an information security policy, and we want to emphasize that businesses must take a layered approach to satisfying these needs.

Companies should also ensure a framework for accountability and risk management. GDPR needs to be handled out of the CFO, CEO, or general counsel office; upper-level management must ask itself what risks the company faces, what information security framework they’re willing to put in place, and who owns and enforces this process. Creating accountability for managing risk is important, which is why C-level involvement is crucial, even if management does not own the whole process. There are tough questions to answer, but every business that the GDPR applies to must answer them.

TR: The biggest thing to recognize is that GDPR compliance is not a technology-driven effort, and information security in general shouldn’t be tech-driven. Smaller businesses don’t often understand this, so the GDPR will probably drive this idea home. If an SMB has any doubts about their security measures, they must bring in someone that has experience and can help—there’s just too much at risk.

How should businesses approach updating their privacy policies?

TR: Take a look at your privacy policy to find its origin. It’s no longer okay to throw up a policy that someone found online and change the name to suit your company. You need to be careful about what you’re putting out there, so check to make sure your policy is appropriate for your business and target audience and that it accurately represents what you do.

How can Razor Technology and Layer 8 Security help SMBs prepare for GDPR compliance?

KH: Several of our clients come to us for GDPR concerns and we have some basic technical services that we can immediately put into effect to help them kick off a comprehensive plan. We work with them to uncover the processes they have in place and then help organically build their own information security program. Performing a data protection strength test can help us see where a business is with their existing efforts and our consulting work can reduce the scope of what the company would be responsible for when it comes to GDPR compliance. For companies big and small, when you need a privacy policy written, when you need data security training, when you need a data protection officer, Razor Tech and Layer 8 are here—but all of this also requires an SMB management team that fully understands the crucial investment that is data security.

Are You Ready for GDPR Compliance?

Do you need help deciding if your business is GDPR-ready? With the help of our partners at Layer 8 Security, Razor Technology offers GDPR preparedness guidance along with data security and protection services. Contact us today to learn what your responsibility is in this new regulation and how you can build a secure data program that meets your business’s needs.

Sources: 1. EUGDPR.org