If you think the GDPR doesn’t apply to your company, you could be wrong. In 2020, the GDPR is making an impact and companies need to take note.
Let’s go back. As part of efforts to improve the privacy and protection of European Union citizens’ data, the General Data Protection Regulation, better known as GDPR, was adopted in 2016 and went into effect in 2018. Since then, many North American companies have seemed confused or outright ignored these new compliance requirements.
That’s dangerous. Here’s why, and what you can do right now to become GDPR compliant.
North American Companies with European Customers Must Pay Attention
The GDPR may seem like it affects European businesses only, but the nature of the internet means it can easily affect companies outside the region as well. In short: if you’re collecting data on your website from individuals located in the European Union, you must comply with GDPR.
The Data Protection Authorities (DPA) initially had difficulty enforcing the laws outside of the EU. But by March 2020, some 231 GDPR fines had been handed out to non-compliant companies at a total of $508 million.
The fines for noncompliance are capped at $21 million or 4 percent of your company’s annual total revenues – whichever is greater. It doesn’t matter how large or small you are, nor does it matter that you “only do business in New York.” The GDPR intends to protect European Union citizens no matter what they do online, and no matter where. If they visit your website? You now have data on those citizens that comes with strings attached.
Many companies are taking the initiative to become GDPR compliant as it represents a competitive advantage in the global business landscape. Others are choosing not to do business with European customers at all, a strategy that may hamstring them in a global market.
If you needy to comply with GDPR, here’s a high-level checklist of what you need to do:
Take an inventory of all data you collect and process. This will help you identify how much data you possess from EU users.
Review and update your data privacy notices to comply with GDPR (the GDPR site provides a template).
Assess your current data handling and processing methods. Ensure these are documented and in compliance.
Review and update how you request and track customer consent. GDPR requires you to ask, obtain, and record consent for data collection.
Designate an individual who will be responsible for data protection compliance.
Develop procedures to identify, investigate, and report a data breach. GDPR requires you to notify affected users within 72 hours.
Make sure your cookie notices, consent forms, or other public material is cross-browser compatible and displays correctly.
Update your content and privacy policies to uphold the “right to be forgotten.” Users should be able to request that their data or information about them (public or private) is deleted.
Educate your employees about GDPR and make sure they understand their roles.
Develop and maintain a documented information security program. Data security is a mandatory component of GDPR.
If you’re starting from scratch (or nearly), the Securicy platform can provide a solid foundation for all the policies and procedures you need to comply with GDPR.
Automate Compliance and Security with Securicy
Even before this new set of regulations, B2B companies were already discovering that cybersecurity was making or breaking new sales. Since the GDPR, some companies in North America are finding that expanding their business globally is more challenging. However, companies can find that compliance gives them a significant edge when working with enterprise customers.
These were key motivations for us when we founded Securicy – too many businesses can’t create an adequate security program themselves or afford to hire a consultant to do all this work. That’s why we built solutions that enable growing companies, startups, and mid-sized businesses to achieve compliance with industry standards and GDPR.
In 2020, the GDPR is in full force and we’re continuing to see an increase in the number of non-compliance fines handed out to global companies. If you have European users, you must demonstrate compliance with these laws or face penalties. Fortunately, by taking steps to secure your data, you can also take steps to become compliant and bring in new customers.
Are you compliant with the GDPR? Do you need to be?
Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.
Darren Gallop is a tech entrepreneur, information security expert, Techstars alumni, board member, and the CEO of Securicy. He co-founded Securicy and led the team to develop a SaaS product that guides businesses through creating, implementing, and managing their information security and privacy compliance program. Gallop previously co-founded Marcato and was CEO there for 10 years, until the successful event management software company was acquired by Patron Technology. He is fluent in English, French, and adept in Spanish. Gallop spends much of his non-work time traveling or engaging in the outdoors. Swimming, fly fishing, canoeing, camping, and surfing (basically in that order). He is from Nova Scotia, Canada.
