This Friday, May 25, is the day privacy changes forever. Well, it would be, if all companies complied with the European Union's new privacy regime, called General Data Protection Regulation (GDPR). GDPR represents the biggest overhaul of data protection standards since 1995, putting new responsibilities on those gathering, processing, and storing data, and handing back power to those who own it.
Resistance will be futile and may be extremely costly. This means you need to understand and start working on a plan to meet the GDPR requirements. GDPR squarely puts the onus on businesses to obtain consumer consent. Such consent must be "freely given, specific, informed, and unambiguous." That is, it must be in plain English and easy to understand without a law degree.
Further, users must be able to review, revise, port, and even delete any data collected on them. Companies that fail comply with GDPR can be fined up to four percent of their global revenue, up to €20 million (approximately $24.5 million).
8 Steps to Get Your Small Business Ready
- Document the personal data. Understand what personal data you hold, where it came from, who you share it with, what it was collected for, and whether it's still relevant and necessary for the purposes you collected it.
- Have a legal reason to collect data. Under the new regime, opt-out boxes are no longer enough. The same goes for long, complicated legalese. Instead, everything must be opt-in, and a citizen will only give their permission for their data to be processed by you for a limited period of time, for a narrowly defined purpose (for example, collecting their home address in order to ship them a product they just purchased). Consent may also be withdrawn at any time.
- Prepare for data breaches. You must be able to notify the data protection authority of a data breach within 72 hours of finding out about it.
- Be able to honor citizens' data requests. Under the new regulations, EU citizens can request that you delete, amend, or move their data to a different organization. Your processes and technology must make it possible to honor user demands within 30 days.
- Appoint a data protection officer. For small businesses (those with under 250 staff) a data protection officer is not mandatory, but it is still a good idea. Someone on your team must stay up to date with the privacy regime and make sure compliance is ongoing.
- Train all staff. Make sure your data protection officer briefs all staff regularly, so that they are appropriately informed and familiar with privacy matters and compliance.
- Audit your supply chain. The GDPR is all-encompassing. You must ensure that all entities in your supply chain are GDPR compliant. For example, if you store your transactions with customer data on a cloud service, you are responsible for confirming that the service provider is GDPR compliant.
Every business, small or large, inside or outside the EU, is required to comply with GDPR if EU citizens are involved. So consider yourself warned. It all changes on May 25.