Nov 30 2018

3 Steps to Get on the Right Side of GDPR Compliance

Even small U.S. businesses must follow the rules — or risk big fines.

American small businesses may not have paid much attention when the European Union finalized its new data privacy law. Many assumed the General Data Protection Regulation (GDPR) applies only to European businesses, or at least those doing significant business there. In fact, though, GDPR applies to virtually every business that processes any personal data on any EU citizen or resident.

The GDPR is a lengthy, dense legal document with hundreds of clauses to understand and address. Compliance can seem daunting for many small and medium-sized businesses, but a violation can reap serious consequences. A major breach of personal data, for example, can subject businesses to large fines, whether or not the breach was the fault of the business. The good news: A few small steps can put most U.S. small ­businesses on the right side of GDPR compliance.

MORE FROM BIZTECH: These tools can help shield your organization from a cyberattack.

1. Determine How GDPR Applies to the Business

It’s wise to seek legal advice from someone who is well versed in both GDPR and U.S. data privacy laws. The key item to discuss is what types of personal data the business collects. Even data that’s not considered personally identifiable information in the context of U.S. law may be relevant to GDPR. Something as simple as developing an email database to send people a company newsletter could fall under GDPR, because an EU citizen or resident could sign up.

In some cases, a business may ­determine that a few simple, inexpensive changes to how it manages data can free it from GDPR compliance requirments entirely. The deluge of privacy notices popping up on websites and terms-of-service updates arriving in people’s inboxes are examples of companies making quick updates to comply with GDPR.

2. Conduct an Independent GDPR Compliance Assessment

After determining how GDPR applies to the business, the next step is to discover where the business is already in compliance and where it isn’t. The best approach is an independent compliance audit. At minimum, an auditor should review the business’s privacy policy (and other policies related to personal data collection), prepare a report indicating any potential compliance issues and provide prioritized recommendations on how to address each issue. A more thorough audit would also review the business’s processes, technologies and other ­mechanisms used to collect, process and safeguard personal data.


Some companies, particularly those that have recently had a similar assessment for PII protection, may find that their greatest need is to understand what their privacy policies should include to accommodate the additional data covered by GDPR, assuming they can then propagate policy changes to the relevant procedures.

But a business’s policies are always at the root of everything else it does. At the least, it should have an outside party with strong GDPR knowledge assess those policies. This should give the business the greatest benefit for the least expense.

3. Address Data Protection Deficiencies

In addition to updating its privacy policy and privacy notices to be GDPR-compliant, there are many other things a business may have to do to achieve and maintain compliance. One example is strengthening and expanding mechanisms to handle ­privacy-related requests from people whose data has been collected, such as to correct errors or to delete the data altogether.

Another example: ensuring all content delivered to people electronically, such as an email newsletter, is on an opt-in basis.

A business may also modify its breach detection and reporting ­processes to comply with GDPR requirements, train staff on their roles and responsibilities under GDPR, and strengthen the technical controls the business deploys to ­protect personal data. Several ­technologies can help businesses with compliance, such as data encryption (including full-disk encryption solutions); multifactor authentication and privileged access management solutions; and server ­security technologies.

Finally, as part of addressing deficiencies, it’s critically important that a business also coordinate with all third parties handling personal data on its behalf. These vendors must also be GDPR-compliant; a business could be held liable if a third party acting on its behalf violates GDPR. It’s vital that contracts and other agreements with those businesses be updated to require this compliance and to establish processes on such things as how potential breaches of the personal data will be handled and reported.

Many small businesses have been confused by GDPR since the regulation took effect in May. And while it is intimidating at first, it doesn’t need to be. Following these steps can help a business determine what it needs to do and make progress toward being compliant.


David Vogin/Getty Images

More On


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.