Perhaps you've noticed a flood of new privacy notices clogging your inbox and have begun to wonder about this GDPR law they keep referring to. What does it mean? Does it apply to your company?
Here's what small and mid-sized business (SMB) owners should know about the European Union's tough new data privacy regulation and how it affects the way they do business.
What is GDPR?
Short for the EU's General Data Protection Regulation, GDPR is a stringent set of data privacy and security requirements affecting businesses that handle personal user data belong to EU citizens. It goes into effect May 25, 2018, and companies based outside of the EU are not exempt if they collect personal data pertaining to EU users.
You can pore over the GDPR official text or scan a more digestible version at gdpr-info.eu, but the bottom line is that businesses of all sizes must now zealously guard their customer and user information or face stiff penalties of up to four percent of a company's global annual revenues or €20 million in severe cases of non-compliance.
Small Business Computing asked three technology experts what advice they would give SMB owners about operating a company under this new regulatory regime. Here are their tips.
Get to know your data for GDPR compliance at any budget
SMBs face an uphill battle when it comes to GDPR, acknowledges Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, a technology company specializing in Microsoft cloud solutions for businesses. Simply put, smaller organizations oftentimes lack the IT budgets to implement new and sophisticated security programs.
"If leaders of small and mid-size businesses want to improve their security programs while keeping their budgets under control, the most important thing for them to understand is how data, people and location weave together to create patterns — both good and bad — across and within their organizations," she said. "Only by understanding your existing data can you effectively protect it."
Consider cyber liability insurance
What if the unthinkable happens and your company's efforts to safeguard personal information fall short?
Cyber liability insurance, also called cyber insurance or cybersecurity insurance, picks up where an organization's general liability insurance or other policies leave off.
"With the deadline to comply with GDPR just over two weeks away, many small businesses are scrambling to ensure they're prepared for the regulation's strict guidelines — and wondering how they might need to adjust their insurance policies," said Jeff Somers, president of cyber insurance vendor Insureon. "Many aspects of GDPR can be covered by a solid cyber liability insurance policy, which is good news for any small business that carries this type of insurance."
Already have a cyber liability insurance policy? GDPR provides good motivation for revisiting it.
"For small businesses that do have cyber liability insurance, it's important to note that policies can vary drastically depending on the insurance provider and business's needs as there's not a 'one-size-fits-all' cyber policy for every business," said Somers. "Plus, these policies won't protect against some GDPR violations, such as failing to hire a data protection officer."
GDPR is the new normal, get used to it
The days of businesses irresponsibly handling user data, at least without severe repercussions, may soon be over. And SMBs better get used to it, according to Brian NeSmith, CEO and co-founder at Arctic Wolf Networks, a security operations center (SOC) as a service provider.
"Privacy is on its way to becoming a fundamental right in the U.S., and as such, parts of GDPR will undoubtedly become policy in the U.S. in the coming years," NeSmith said. "The process may take longer than we’d like, but with every major breach the process will be expedited."
Historically, the user data collection practices of companies "flew under the radar of regulators and most consumers," NeSmith added. However, the uproar caused by recent high-profile incidents like the Equifax breach and Cambridge Analytica scandal have captured mainstream attention and opened the general public's eyes "to the economic, political and social havoc that leaked customer data can create," he added.
"We the people now believe that everyone is entitled to life, liberty, the pursuit of happiness… and data privacy."
Get started now and avoid becoming the poster-child of GDPR non-compliance
It's inevitable that a company will be their first to get slapped with potentially ruinous penalties from EU regulators under GDPR. Don't let that company be yours, advised NeSmith.
"The absolute worst thing you can do right now is be the company approaching GDPR like an ostrich, burying your head in the sand and hoping you never have a breach or catch the attention of regulators," he said. "At that point, it will be too late, and the future of your company will be at stake."
Granted, there's still some uncertainty surrounding the law, particularly among American companies. Nonetheless, trying to demonstrate compliance is better than not complying at all.
"If taken literally, it is nearly impossible to fully comply with every aspect of the regulations as they are written," NeSmith noted. "Therefore, much of the discussion is around which parts are an absolute must versus best-effort compliance requirement. The legal requirements will be defined as companies are cited for GDPR violations.
"But no company wants to be the trailblazer in defining what non-compliance looks like," said NeSmith.