The time left till GDPR goes into effect is getting very short. On May 25, businesses that hold data on EU citizens have to be in compliance. Many businesses in the US still haven’t gotten started. They could face serious penalties, especially if they suffer a data breach.
It isn’t clear how the SAs (Supervisory Authorities) will enforce GDPR on companies with no EU presence, but even if they can’t collect fines, they may be able to impose sanctions on foreign violators. Companies could face restrictions on their ability to do business in Europe.
An SMB that occasionally does business with Europeans may not realistically be able to conduct a full GDPR audit and hire a compliance officer. Fortunately, this area isn’t likely to be a primary target for intensive enforcement. This doesn’t mean that small companies with no EU offices are immune; a business that does nothing and allows serious exposure of personal data will run into trouble. Small companies can improve their chances by making a serious effort, even if they aren’t in full compliance.
A large part of compliance is common-sense security. A company needs to restrict access to personal data, document its security controls, and manage the data lifecycle. Any company that handles personal data should do this, simply as a matter of responsibility toward its customers.
GDPR’s rules for data breaches aren’t quite as intuitive, but they should be part of any good security policy. It isn’t enough in today’s world to simply try to prevent breaches. The odds are that some threats will get through. A breach response plan needs to address how to minimize the damage and report the facts to the affected people.
Companies subject to GDPR need to have transparent policies. When they collect data on EU citizens, they have to say what they’re collecting and how they’ll use it. They have to explain their data retention and deletion policies. For businesses that already have policies, this is just a matter of making them available and conspicuous wherever there’s a request for personal information. Ones that don’t have defined policies need to develop and publish them.
The language has to be clear and not overly legalistic. Some privacy policies run on for thousands of words, largely because they’re full of boilerplate that isn’t applicable to the situation at hand. The approach will depend on the site’s audience and purpose; a subscription to a newsletter shouldn’t require as much legal precision and depth as the sale of securities.
Under GDPR, sharing of data on EU citizens has to be opt-in. This could be a serious problem for businesses that have built up marketing lists over the years. If they haven’t documented how contacts have opted in, they’re probably in violation.
Choosing a course of action can be difficult here. Asking all existing contacts to confirm their opt-in status and dropping those who don’t respond is the safest bet. A lot of people won’t get around to responding, even if they might actually be interested. Culling a list this way will shrink it significantly.
A more realistic approach might be to give contacts a clear opportunity to opt out and to let them opt in or not on their next transaction. While this may not comply with the letter of the regulations, it might be good enough to stay out of trouble. There are no guarantees.
Best Efforts Count
While GDPR goes into effect on May 25th, that doesn’t mean enforcement will jump from zero to blanket coverage in one day. The SAs will have their hands full dealing with the most important cases first. Even if you’re late in complying, making the best possible effort will go a long way. There should be time for small businesses to catch up. Contact us to find out how we can help you achieve GDPR compliance, as well as other matters best handled by IT managed services.