This Friday, May 25, is the day privacy changes forever. Well, it would be, if all companies complied with the European Union's new privacy regime, called General Data Protection Regulation (GDPR). GDPR represents the biggest overhaul of data protection standards since 1995, putting new responsibilities on those gathering, processing, and storing data, and handing back power to those who own it.

If you think businesses in the U.S. don't have to comply, think again. Yes, GDPR is only supposed to apply to the EU and EU residents, but if your organization markets to or processes the information of EU citizens, the GDPR applies to you, whether or not you're based in the EU. So any company that has an online presence and markets its products over the internet--which by default reaches into the EU--must comply with GDPR, regardless of size, maturity, or revenue. Because so many companies do business in Europe, American technology giants like Apple, Google, Facebook, and Twitter are scrambling to become GDPR compliant. That's why your email inbox is filled with so many "privacy policy" updates this month.

Resistance will be futile and may be extremely costly. This means you need to understand and start working on a plan to meet the GDPR requirements. GDPR squarely puts the onus on businesses to obtain consumer consent. Such consent must be "freely given, specific, informed, and unambiguous." That is, it must be in plain English and easy to understand without a law degree.

Further, users must be able to review, revise, port, and even delete any data collected on them. Companies that fail comply with GDPR can be fined up to four percent of their global revenue, up to €20 million (approximately $24.5 million).

8 Steps to Get Your Small Business Ready

  1. Document the personal data. Understand what personal data you hold, where it came from, who you share it with, what it was collected for, and whether it's still relevant and necessary for the purposes you collected it.
  2. Have a legal reason to collect data. Under the new regime, opt-out boxes are no longer enough. The same goes for long, complicated legalese. Instead, everything must be opt-in, and a citizen will only give their permission for their data to be processed by you for a limited period of time, for a narrowly defined purpose (for example, collecting their home address in order to ship them a product they just purchased). Consent may also be withdrawn at any time.
  3. Prepare for data breaches. You must be able to notify the data protection authority of a data breach within 72 hours of finding out about it.
  4. Be able to honor citizens' data requests. Under the new regulations, EU citizens can request that you delete, amend, or move their data to a different organization. Your processes and technology must make it possible to honor user demands within 30 days.
  5. Appoint a data protection officer. For small businesses (those with under 250 staff) a data protection officer is not mandatory, but it is still a good idea. Someone on your team must stay up to date with the privacy regime and make sure compliance is ongoing.
  6. Train all staff. Make sure your data protection officer briefs all staff regularly, so that they are appropriately informed and familiar with privacy matters and compliance.
  7. Audit your supply chain. The GDPR is all-encompassing. You must ensure that all entities in your supply chain are GDPR compliant. For example, if you store your transactions with customer data on a cloud service, you are responsible for confirming that the service provider is GDPR compliant.
  8. Inform everyone. Always share your privacy policy and make sure you have disclosed to all users, stakeholders, and customers what you plan to do with the data they have provided. I have seen lots of business models where the startup simply collects user data, and plans to figure out later how to monetize it. This process is reversed under the GDPR. Before you collect data, you must first disclose, in plain English, what that data will be used for.

Every business, small or large, inside or outside the EU, is required to comply with GDPR if EU citizens are involved. So consider yourself warned. It all changes on May 25.

Published on: May 24, 2018