Despite popular belief, the European Union’s General Data Protection Regulation (GDPR) law isn’t limited to businesses operating within the EU. It went into effect May 25th, 2018, and if your company advertises online, offers B2B services, or works with international freelancers, you might have another compliance framework to worry about.
What is GDPR?
Much like HIPAA in the US and PIPEDA in Canada, GDPR is one government’s attempt to protect its citizens’ data. But in a world where 58% of small businesses have international customers and partners, doing so is impossible unless said government can enforce its laws abroad.
What information does GDPR protect?
GDPR forces any business that stores information on EU citizens to meet cybersecurity minimums and provide them with the ability to review and delete any or all of that data. Here’s a list of the customer data protected by GDPR:
- Names, addresses, and ID numbers
- Web-based locations, IP addresses, and "cookies" that use browsing histories to target ads
- Health, genetic, and biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Although that’s a broad definition of private data, many Rochester and Buffalo small businesses still assume they’ll never need to worry about GDPR compliance.
Business practices that require GDPR compliance
GDPR exempts businesses smaller than 250 employees from some compliance requirements, but the exemption is so vaguely defined that legal experts believe it offers little protection. So since it's better to be safe than sorry, ensuring you're GDPR-compliant for these common business practices is recommended:
- Shipping products to the EU, which requires a name and address
- Offering EU-language translations of your website, because it infers you market there
- Neglecting to give website visitors a way to opt out of cookies
- Sending email newsletters to EU citizens using an app that tracks when or where messages are opened
- Providing professional services to businesses that serve or employ EU citizens, assuming you have access to any of the information listed above
- Outsourcing work to an EU citizen, assuming you need to store his or her information for tax-reporting purposes
At least five out of the top 10 businesses on the Rochester Chamber of Commerce’s Top 100 rely on the practices above. If you think your organization might not be exempt, here's what you should do about it.
GDPR technical requirements
The first thing you must do is comb through all the data you store and look for anything regulated by GDPR. This is no easy task considering most businesses have thousands of emails and files dating back several years.
Next, you must organize regulated data by individual. This is because EU citizens can demand that you erase their records from your systems, and having everything categorized will ensure such requests are handled “without undue delay.”
Although GDPR encourages encryption, the only requirements are “organisational measures [that] ensure a level of security appropriate to the risk.” Regardless of whether you’re required to adhere to HIPAA, GDPR, or both, we recommend a multi-layer approach cybersecurity.
Finally, if an unauthorized party gains access to your data, you’re required to notify EU authorities within 72 hours, and affected individuals as soon as possible.
The costs of noncompliance
Storing personal information without adhering to GDPR requirements could result in a 10 million Euro fine ($11.7 million) or 2% of your global revenue, whichever is higher.
Most small businesses wouldn’t be able to continue operating after such a substantial fine. And if hackers discover subpar data security before the compliance authorities do, small businesses face breach costs averaging $120,000 per incident.
The solution for Rochester businesses
GDPR affects far more SMBs in western New York than most people realize. To find out if you’re one of them, Capstone IT offers free cybersecurity assessments. And if it turns out you’re required to follow GDPR regulations, our CyberShield solution will protect your data and our Cyber Insurance will protect you from six-figure beach costs. Give us a call today, because an ounce of prevention is worth 12 million bucks’ worth of cure.