Defining GDPR - The General Data Protection regulation, GDPR, is an EU-wide law that went into effect May 25th 2018. This data protection law has been put into effect as a measure to protect customer data. GDPR is relatively complex, but there are some overarching rules in place that business must follow.
Online businesses that function in the EU must have the following major protocols in place:
1. A company must provide notice of a data breach within a period no longer than 72 hours
2. Websites should follow “privacy by design” or “privacy by default” principles
3. Data policies should be clear and transparent to the average person
4. In most cases, users must consent to their data being utilized by the company
What if GDPR Rules Are Broken?
If a company in the EU fails to follow the GDPR law, hefty fines will be put in place. These fines are no laughing matter -- the government can take up to 4% of the organization’s worldwide revenue or €20 Million Euros (whichever is higher). This includes U.S. companies if their site functions in the EU (which most do), meaning all U.S. organizations need to be aware of the compliance protocols.
Regulators are expected to begin inspecting cyber security regulations within large organizations, especially when it comes to essential services -- healthcare, data dealing with children, electricity, transportation, and financial industries.
It is expected that warnings will begin going out if a company is not following GDPR, and that offenders who continue to fail at following the regulations will start seeing these crippling fines. Residents will be able to report organizations that they believe are being irresponsible with their data or not following GDPR. Regulators in each country will be able to open an investigation from there.
Safeguards Currently in Place Within the U.S.
In the U.S. there are a few federal regulations in place to establish a bare minimum for data protection, however these are no comparison to the sweeping regulations that make up GDPR. The US data privacy regulations are industry specific:
● HIPAA (1996): HIPPA deals specifically with data privacy and data security of medical information. All companies and establishments in the United States dealing with medical information must have specific cyber security measures in place.
● Gramm-Leach-Bliley Act (1999): The Gramm-Leach-Bliley Act states that financial institutions in the U.S. must share what they do with customer data and information and what protections they have in place to protect customer data. Noncompliance creates hefty fines for financial institutions and could lead to customers taking their business elsewhere.
● FISMA (2002): FISMA was introduced under the Homeland Security Act as an introduction to improving electronic government services and processes. This act ultimately established guidelines for federal agencies on security standards.
While great for establishing some minimal security efforts, it can be argued that these regulations in the U.S. are not going far enough to safeguard against data breaches and cyber attacks. With several incidents of data breaches in recent years, individual companies have amped up their efforts to keep data more secure on a case-by-case basis, but often do not go far enough. This is the same thing the EU has seen over the past couple decades, thus inspiring GDPR.
What US Small Businesses Need to Do Now About GDPR
Technically, U.S. companies can treat their users in the EU differently from the U.S. by only complying with GDPR for EU users. Other larger companies such as Google and Facebook are expanding the data protections to all users.
Many users in the U.S. are hopeful for similar regulations or for companies to extend privacy settings in the U.S. as well.
Evaluate Data Practices
If your organization has a digital presence in the EU, then yes, you need to be compliant with GDPR for at least your users in the EU (which includes the UK, for now). Here are some action items to evaluate:
1 . What data does your company currently collect?
Did you receive consent to collect this data from users? If unsure, you should send out a notice to customers explaining what data you are currently collecting.
2. How is this data collected?
You must notify users about the data you are collecting, why you are collecting it, and what you are doing with the data. Users must consent to this and be able to view and/or delete this data at any given time.
3. Where is this data stored?
Companies must tell users how long the data is going to be stored for and how it is being kept private.
● What personal information you collect
● How and why you collect it
● How you use it
● How you secure it
● Any third parties with access to it
● How users can control any aspects of this
Increase Cyber Security Investments
This is also an opportunity for companies in the U.S. to look at their cyber security measures in place and to reevaluate how to keep data more secure -- which is always in the best interest of a company and the users. Marcus Turner, Chief Architect at Enola Labs Software, often discusses cyber security measures with his clients, stating:
"Ultimately, high levels of cyber security are a necessary and worthwhile investment for businesses that care about protecting their customers and safeguarding their businesses. I often tell businesses that they can pay an upfront cost now to protect their data, or wait until a cyber security attack and pay an even bigger price later to clean up the mess. Waiting may very well cost you your business".
It will be interesting to see how the U.S. becomes more impacted by GDPR and what implications follow suit. For now, companies need to immediately begin analyzing data collection, privacy standards, and begin crafting an easy-to-understand privacy statement.
Alexandra Bohigian manages marketing at Enola Labs Software, an Austin, TX based software development company.
Alexandra has been published for her writing on technology, security, software trends and current events.
[Editor's Note: Although this is an article on small business legal compliance, it's educational in nature and doesn't constitute legal advice.]