The new General Data Protection Regulation legislation becomes active on May 25 2018. Many businesses are struggling as they attempt to reach compliance standards for this latest piece of legislation. Since it replaces the 1995 EU Data Protection Directive, this latest piece of legislation will allow for a much higher level of personal security for most individuals. It also means that many businesses will need to step up their data protection game.
Your small business is no exception. 68% of US-based businesses estimate that they’ll spend between $1 million and $10 million in order to keep up with GDPR requirements. It’s important that small business owners and big business owners alike understand the requirements and make a plan to update their website as soon as possible.
GDPR is most concerned with personal customer data. It gives customers more rights and control over how their data is used, stored, accessed, and more. With an increasing number of citizens worrying about protecting their private data, this legislation provides the protection that customers have been asking for. Under GDPR, customers can:
- Access their personal data and the ways it’s being used at any time.
- Have their data deleted if they are no longer a customer of the company or otherwise wish to withdraw their data from that setting.
- Move their data to another location or share it with another company in a standard format.
- Be informed how data collected is being used and how it’s being collected before they permit that data collection.
- Alter data that is incorrect.
- Restrict data processing or limit the ways in which their data can be used.
- Be notified within 72 hours of a data breach that has or may have compromised customer information.
GDPR is all about data sharing and awareness. Many customers will remain just as comfortable with their data being collected and used the way it always has been, but others will want better control over their data–and businesses must comply with those desires, since data privacy is now a customer right.
GDPR and Your Small Business Website
As a small business owner, you may deal in smaller quantities of data than your larger counterparts within your industry. You will still be impacted heavily by GDPR. Failure to comply with these regulations can lead to fines of 4% of your annual global revenue or up to 20 million Euros. A substantial impact that could shut down a business permanently. There are several steps that you, as a small business owner, should take to protect your business and ensure compliance with these regulations.
Appoint a data protection officer.
Someone within your business needs to be responsible for understanding GDPR, the data your company collects, and how you can help keep it more secure for your customers. A security audit for your database systems is a good place to start. Your data protection officer should understand the need for security and how it impacts your company as a whole.
Train your employees.
Threats from outside your network are terrifying. You never know when hackers are going to strike. Unfortunately, the majority of threats against data still pop up from inside the network. Your employees typically won’t try to break down your security. However a poor understanding of emails, links, and other types of traffic can allow them to mistakenly open the door for that type of attack. Well-trained employees, on the other hand, have a deeper understanding of cyber security and data protection. This will help eliminate internal threats to your business.
GDPR and Your Company Website
Redesign your website.
A website redesign will help ensure that you’re meeting necessary consent regulations, including offering customers more than one opportunity to decide whether or not they’re going to allow their data to be collected. Checking your website design is a critical part of this compliance strategy, since it’s one of the biggest ways you interact with your customers and collect their data.
Check your data storage.
GDPR is concerned with several types of data, including biometric data, health and genetic data, racial or ethnic data, sexual orientation, and political opinions or other information as well as any personally identifying information. Any of this type of data that is stored on your systems must be protected appropriately. It is critical that you take a look at your data storage and whether or not it is up to these standards.
Design a breach reporting policy.
Small businesses are at higher risk for data breaches than ever. Hackers know that small businesses lack the extensive protections many larger companies are able to put in place. As a result, they’ve increased the number of small businesses that they’ve attacked in recent years. It isn’t enough to protect the confidential data in your systems, it’s critical that you have a policy in place. This will ensure that customers are notified of a potential breach within 72 hours. This is one requirement to maintain GDPR compliance standards.
Conduct an assessment.
Consider using an outside assessor to help ensure that your business is fully compliant.
Create a report of compliance.
Make sure that you have the right information at hand so that you can fully display GDPR compliance and report it as needed.
Your Location Doesn’t Matter
Many US-based businesses started out breathing a sigh of relief as they watched information about GDPR appear. After all, this applies to businesses in the EU, right? It’s important to note, however, that US-based businesses, including small businesses, will also need to be diligent about keeping up with GDPR regulations if they collect data from anyone in the EU.
It doesn’t matter if there is a financial transaction that takes place or any other stipulations. All that is required is that data is collected from someone in the EU at the time the data is collected.
This affects you if your business has an online presence and you ever interact with EU citizens. You will need to track these regulations to ensure that your data protection is up to GDPR standards. It’s not your location that matters; it’s the location of your customers–including customers who aren’t actively making purchases.
Getting help with GDPR
You should hire a web developer to assess your web server and database security. Make sure your customer data stays protected. You need a web security audit no matter where your website is hosted. Web servers and database servers are continuously releasing security updates, make sure your using current versions. Also make sure that your sensitive user data is properly encrypted, this will minimize the impact if your data is breached. All passwords and financial data should be encrypted, if not all user data.
If you’re worried about meeting GDPR standards or fear that you’ve failed to develop a plan in time, check out this article on creating a GDPR audit. Substantial fines you can incur if you fail to meet GDPR regulations. Ensure that you are efficiently and effectively protecting customer data and your own privacy.
Great article Wes! I have been wondering about the USA businesses and how it will affect them. Thanks for clarifying that.
I’m afraid a lot of businesses will not find out until they get the fine. At that point it might be too late.