A flash poll conducted by Baker Tilly Virchow Krause, LLP (Baker Tilly) has revealed an astounding 90 percent of organizations don’t have the necessary protocols in place to be compliant with the General Data Protection Regulation’s (GDPR) as the May 25, 2018 deadline fast approaches.
Not Prepared for the GDPR? You’re Far From Alone
Although large corporations are getting the lion’s share of the attention when it comes to GDPR, the ruling affects any size company with an internet presence offering European Union (EU) residents a service. And with the penalties being so severe, businesses shouldn’t wait so close to the implementation date to comply.
Small businesses selling goods and services in the EU or interacting with their customers in other forms online have to be ready. As long as your business is collecting, processing, using and storing personal data that originated in the EU, you fall under the umbrella of the new GDPR regulations. And you will not be exempted because of your location, company size, or business type. If you don’t comply, there is a price to pay.
The fines can go as high as four percent of annual global revenue or €20 million (over $24 million), whichever is greater. Individuals who suffer damages can also take legal action by suing the data controller, processor or both as well as anyone in the supply chain.
David Ross, partner with Baker Tilly’s cybersecurity and privacy practice, said in the press release, “… organizations need to implement proactive, risk-based monitoring and compliance measures as part of a comprehensive cybersecurity and privacy program.”
Getting Ready
Getting ready means understanding what GDPR is and knowing the data it covers. It governs the personal data of individuals originating in the EU including citizens, residents, and visitors along with EU citizens living outside of the union.
The data it covers are basic identity, web, health and genetic, biometric, mental, cultural, economic, and social and political identity.
According to Baker Tilly, your organization can be liable under GDPR if you have a presence in the EU, your customers are there, use EU suppliers and vendors, have a data related business, carry marketing efforts in the EU, and your employees, investors or customers are EU citizens.
The company has posted a recent webinar titled, “GDPR: Is your organization ready?” You can watch the on-demand recording here to see what steps your business should take to comply with the regulation.
You can also get all the information about the GDPR from the official EU website here. The Information Commissioner’s Office of the UK has also posted a document (PDF) with 12 steps you can take to prepare your business.
Data Protection
The goal of the GDPR is to protect the data of individuals. The Facebook/Cambridge Analytica revelation pointed out major flaws on how personal data is readily made available to third parties. The regulation forces anyone in possession of said data to do all they can to protect it.
As Mike Vanderbilt, director with Baker Tilly’s cybersecurity and privacy practice, said, “Having well-documented privacy policies and procedures coupled with a documented privacy program overall demonstrates the organization is actively engaged in ensuring compliance in case of GDPR oversight review.”
You can take a look at the Baker Tilly GDPR primer infographic below to get you up and running.
Photo via Shutterstock
From my understanding this law is too far-reaching and will enable an avalanche of legal action. Any online business could be at risk simply for having a domain that is accessible by an EU citizen.
Yes, there is no way to know exactly what you would need to do to comply. And the fines are outrageous. Since English is widely used in the EU, they could and probably will claim that all sites published in English are affected.
Even if you wanted to make sure you were 100% safe, what would that look like? You could eliminate your mailing list, but maybe you would have to remove the ability to use a contact form, too?
If the wealthy want to pass laws like this, they could at least be clear on what they expect non-corporate small businesses, bloggers, and other small site owners to do.
Michael Guta
Hi Robert,
It is definitely far-reaching. As written, the regulation can be exploited, leaving many businesses -especially small ones- vulnerable to lawsuits. Because you have to remember, in addition to the fines the EU can impose, individual citizens can also go after you for damages.
Aira Bongco
It came as a surprise and it is just so sudden. So it is not suprising that so many businesses are not able to comply.
Arjun Chatterjee
This will entrench the big tech guys and kill competition. no wonder the EU is so hated, I now understand why they are. The internet as we know it is about to be changed forever, it will increasingly get compartmentalized and segregated. Perhaps that is what they want anyway. If I run a small business outside the EU, I would just close access to EU users.
Michael Guta
Hi Arjun,
It is going to be very challenging for small businesses outside of the EU, and also within it. If you are a small business owner in the EU with e-commerce or a customer facing digital presence, you are now going to have to budget in additional IT services, insurance and more, while hoping you never accidentally violate any of the regulations.