The European Union is about to roll out sweeping regulations governing how companies collect, use, and share people's data. And it doesn't matter where your business is based--if you deal with E.U. residents online, you're going to be affected too.
The E.U.'s General Data Protection Regulation (GDPR), which goes into effect May 25, is designed to give users more control of their information. The law will require companies to obtain consent from users before collecting any data. GDPR also requires companies to notify regulators and affected individuals of any breaches of security within 72 hours. Companies that don't comply with the new rules can be fined as much as four percent of their global annual revenue.
To date, the GDPR is one of the broadest and most comprehensive laws devised by a Western country to regulate the Internet and personal data privacy, according to Trevor Hughes, president of the New Hampshire-based International Association of Privacy Professionals. (The United States has only sector-specific laws to protect personal data.)
While the GDPR will put pressure on tech behemoths such as Facebook and Google to be more transparent around their data-gathering practices, the regulation may introduce more hurdles for small to midsize companies in industries ranging from healthcare to e-commerce. As of January, only about 40 percent of businesses had heard of GDPR, and of those that had, only a quarter were prepared for it, according to a survey conducted by the University of Portsmouth and a U.K. market research firm.
Bojana Bellamy, president of the London-based global security and privacy think tank Centre for Information Policy Leadership, says smaller companies could struggle with ramifications of the law. Take, for example, a small health developer app that has 10 employees. If a large portion of its users suddenly choose not to have their data collected, the startup may be hamstrung in its ability to develop new products and services. Small companies likely won't have the resources of a giant tech company to put a detailed security program into place.
In late April, a gaming company called WarpPortal announced that it would shut down access to E.U. players rather than comply with GDPR. More companies could follow suit.
"The GDPR is a broad-based regulation that reflects the technological and business environment at the time of drafting," says Hughes. "As a result, we don't know yet how the GDPR will perform as public policy in the face of new innovations."
In the meantime, the law could be an opportunity for companies to rethink their privacy policies and reinvest in consumers' trust. Hughes argues that, if handled appropriately, complying with the law could lead to more opportunity for some businesses, despite the initial costs. Consumers are more aware than ever about their lack of privacy online and will likely stick with the sites they trust. For new companies, an emphasis on privacy up front could pay off. "The best time to do it is when the company is small than when the company has hundreds and thousands of employees and terabytes of data," says Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, a New Jersey-based software company that develops data management software for enterprise companies.
To prepare for the roll-out of GDPR--and the changing landscape of online data practices--here's what you need to do now:
Analyze the data you collect and why you collect it.
Simberkoff suggests taking a hard look at what your company collects and asking if you really need this data. Why do you collect it? How do you use it and who do you share it with? "Thinking of data strategically before you even think about it from a compliance perspective is a really good starting point," says Hughes.
Don't promise something you can't deliver on.
Broken promises around privacy tend to get companies in a lot of trouble. "That's what we know regulators are looking for," says Simberkoff. "GDPR is new, but this is not." You want to create a very transparent relationship with your customer.
Make data protection part of your company's culture and DNA.
"It's not one person's job, so this is when I think smaller companies have an advantage because larger companies, you'll have a security officer and a privacy officer, and there's often a perception that the person or their team is responsible for privacy and security," says Simberkoff. "In a small company, make it everybody's job." If you build awareness from the beginning, then you'll be far ahead of the game in the long-run, and, as Simberkoff points out, that begins from leadership.
Get help on understanding the requirements.
Digesting all 99 articles of GDPR and whether they apply and how they apply to your operation is a big undertaking. Hughes says that smaller organizations should be calling lawyers or finding consultants even if they only engage them for a gap assessment to understand what you do and don't need to change about your practices. The U.K.'s Information Commission Officer has also issued guides specifically for small businesses, which any founder would be wise to read.