American small businesses may not have paid much attention when the European Union finalized its new data privacy law. Many assumed the General Data Protection Regulation (GDPR) applies only to European businesses, or at least those doing significant business there. In fact, though, GDPR applies to virtually every business that processes any personal data on any EU citizen or resident.
The GDPR is a lengthy, dense legal document with hundreds of clauses to understand and address. Compliance can seem daunting for many small and medium-sized businesses, but a violation can reap serious consequences. A major breach of personal data, for example, can subject businesses to large fines, whether or not the breach was the fault of the business. The good news: A few small steps can put most U.S. small businesses on the right side of GDPR compliance.
1. Determine How GDPR Applies to the Business
It’s wise to seek legal advice from someone who is well versed in both GDPR and U.S. data privacy laws. The key item to discuss is what types of personal data the business collects. Even data that’s not considered personally identifiable information in the context of U.S. law may be relevant to GDPR. Something as simple as developing an email database to send people a company newsletter could fall under GDPR, because an EU citizen or resident could sign up.
In some cases, a business may determine that a few simple, inexpensive changes to how it manages data can free it from GDPR compliance requirments entirely. The deluge of privacy notices popping up on websites and terms-of-service updates arriving in people’s inboxes are examples of companies making quick updates to comply with GDPR.
2. Conduct an Independent GDPR Compliance Assessment
Some companies, particularly those that have recently had a similar assessment for PII protection, may find that their greatest need is to understand what their privacy policies should include to accommodate the additional data covered by GDPR, assuming they can then propagate policy changes to the relevant procedures.
But a business’s policies are always at the root of everything else it does. At the least, it should have an outside party with strong GDPR knowledge assess those policies. This should give the business the greatest benefit for the least expense.
3. Address Data Protection Deficiencies
Another example: ensuring all content delivered to people electronically, such as an email newsletter, is on an opt-in basis.
A business may also modify its breach detection and reporting processes to comply with GDPR requirements, train staff on their roles and responsibilities under GDPR, and strengthen the technical controls the business deploys to protect personal data. Several technologies can help businesses with compliance, such as data encryption (including full-disk encryption solutions); multifactor authentication and privileged access management solutions; and server security technologies.
Finally, as part of addressing deficiencies, it’s critically important that a business also coordinate with all third parties handling personal data on its behalf. These vendors must also be GDPR-compliant; a business could be held liable if a third party acting on its behalf violates GDPR. It’s vital that contracts and other agreements with those businesses be updated to require this compliance and to establish processes on such things as how potential breaches of the personal data will be handled and reported.
Many small businesses have been confused by GDPR since the regulation took effect in May. And while it is intimidating at first, it doesn’t need to be. Following these steps can help a business determine what it needs to do and make progress toward being compliant.