All businesses should take a hard look to see if and how they are affected by GDPR now that is is in effect.
GDPR (or the General Data Protection Regulation) is a law governing the data protection and privacy for people in the European Union (EU) and European Economic Area. This regulation has been officially in effect since May, 25th 2018. But, this law doesn’t apply only to businesses in the EU, there are impacts from GDPR for US companies.
Our GDPR expert, John Prejean, says that any business associated with the EU needs to comply with the law. “There are serious consequences for violating the regulation,” John says, “including hefty fines, up to $20m euros or four percent of global revenues, whichever is higher.” And, of course, potential damage to a company’s reputation.
GDPR For US Companies: Is Your Business Affected?
Any US company with a connection to the EU (including subsidiaries, customers, and suppliers) must comply with the regulation. It’s important to take a deep look into your customers and suppliers, in particular, to see if they are tied to the EU. In this global economy, it’s simply not safe to assume you’re unaffected.
In A Nutshell What Does GDPR Cover?
GDPR Is all about data protection and privacy. Basically, it requires the businesses to know and document where their data is stored and how and where it moves. “Outside the need for GDPR compliance, this foundational requirement is extremely valuable to the organization,” John says.
You’ve probably noticed more and more websites requesting you opt in or out of allowing the site to capture cookies. This is in response to one of the main components of the GDPR: consent. Clearly defined consent is required for all GDPR affected businesses, but it also helps to gain customer confidence.
Why GDPR Is Important For US Companies, Regardless of Regulation.
Even if your business is completely untied to the EU, and the GDPR change does not affect your business directly, it can still be helpful for your company. It’s unwise to view the GDPR as a big, scary, negative change – many businesses can benefit from following GDPR practices!
John says that the fines for breaking the GDPR law are “only part of the cost the business
would incur with a data breach”. He explains that GDPR gives investigative powers to the Member States’ supervisory authorities. These authorities may discover the breach. But, it is more likely that a 3rd party would report a breach, or submit a complaint to the authorities. Companies are obligated to comply with requests from authorities for GDPR related compliance information.
Having a data breach isn’t cheap. There is the cost that comes with finding the breach in the first place. Then there are the post-breach costs, any business lost due to the breach, and any litigious expenses. Having a data breach is not good for business, regardless of GDPR.
How To Comply With GDPR Regulations:
As John says, most of the stipulations in GDPR for US Companies are just good, solid business practices. Really, it shouldn’t be totally new to a business, as there should already be some data security and privacy measures in place. We like to think of it more as an opportunity to make data security part of the company culture. Shoring up your data security and privacy practices have many benefits, including saving money, resources, and your reputation.
When we’re working with GDPR compliance, the first thing we do for a client is a full risk assessment. This includes evaluating the staff, processes, and their technology. It allows us to identify any holes in the process and determine associated risk. Knowing these weaknesses is half the battle! From there we can create a plan to address any compliance and security issues. This gives us the ability to work with the business to prioritize the timing and resources needed to become compliant.
Should A Novice Try To Comply Alone?
In the grand scheme of things, the concepts covered in GDPR for US companies are pretty simple and easy to understand. The main difficulty we find with most compliance clients is the identification of vulnerabilities in their processes. It can be difficult to seek these out without a trained eye, let alone correct the problem. Seeking expert help can save a lot of time and money.
Data protection is so important to us, we created a basic set of data protection principles ready to plug into a business. We also ensure that compliance becomes part of the company culture. To do this we always have training sessions with our clients to help staff members understand the importance of their role in maintaining compliance. We usually find there is a misconception that being compliant is a one and done exercise, but a major component is a shift in culture. This is one reason why ongoing training is one of the most critical areas to get right.
Whether or not you need to worry about GDPR for US Companies, data protection, and privacy are critical business practices. In some ways, we can thank the GDPR for forcing many companies to think about how they’re using data while doing business. Data security affects all the people in an organization from accounting to sales to legal andIT.
Need help getting your data security on point? Let’s talk about different solutions for your business.