I would imagine for many of us, the first place to start would be to figure out what GDPR stands for. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. Your next question would probably be, why should I care about GDPR, because I am an American company.
The legislation which went into effect last week attempts to give consumers control of their personal data collected by companies. Not only will it affect organizations located within the EU, but it will also apply to companies outside of the region if they offer goods or services to, or monitor the behavior of, people in the EU block. The penalty for breach is stiff. Companies face fines of up to 4 percent of total global turnover if they break the rules.
It’s all about the data. Which is why this legislation could have far reaching impact on the Facebooks and Googles of the world. While in the U.S., California is attempting to monetize the use of data by big tech, the EU is trying to prevent the misuse or misinformation given to consumers about their personal data. If you are a small business that falls under these guidelines, you can take a proactive stance and make some necessary changes that will help protect you. You can begin by refining your security implementation and processes with an outside counsel to reviewing your data supply chains and create new consent procedures.
As a consumer or provider of personal data, you may have noticed that in the last month you have been asked to update terms of agreement by the likes of Facebook, Google, et al. This is in direct response to compliance with the new GDPR legislation.
If your business falls under the guidelines, you should do the same. Communicate with your customers and users, collect consent to receive emails, and update privacy policies and terms of services. In addition, educate them on how their information is being used and, when and if data is submitted, that it will be safeguarded. The more your customers know about what is being done with their data, the more likely they are to be okay with your use. The good news is that for most small businesses, those with less than 250 employees, and who do not use the personal data of Europeans on a regular basis, this new legislation will not affect you.
The obvious fear here is the data breach. One of the major changes GDPR will bring is providing consumers with a right to know when their data has been hacked. Protocols must be put in place so that individuals whose personal data has been affected can be notified within 72 hours of such discovery. In light of the significant financial penalties for breach, it is of the utmost importance to put the legislative guidelines into your operations. Like any other legal issue, if a breach is determined to have happened, you will be looked upon more favorably if you have all the necessary compliance people and procedures in place.