You may think that US businesses aren’t impacted by the EU’s General Data Protection Regulation (GDPR), but it is time to take a closer look. The impact of GDPR could be far reaching.
GDPR represents a huge leap in data security and protection for EU citizens against their personal data being used, or even kept, without their consent.
GDPR’s Impact On Small Business In The US
Going into effect in the EU on May 25th, 2018, GDPR will strengthen privacy protections for EU citizens. Given the global economy, GDPR’s impact on small business in the US can’t be ignored.
No doubt those in the EU are as fed up with the constant data breaches and weak apologies from companies holding personal data who seem to leak continuously.
Here in the US, the pace and impact of data breaches increases year after year, a trend I documented in Security Breach Horror Stories. This post details security breaches going back years.
GDPR sets a high bar when it comes to personal data, defining it as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Just about any information collected on an individual could fall under this definition.
In addition to the enhanced definition of what constitutes person data, GDPR also establishes several new concepts around data protection:
Consent: In the past, companies just needed to ask once to collect and use your personal information, but under GDPR consent is required when using customer data for different purposes and consent must be tracked to prove it was given. A great example would be Facebook who, under GDPR, would have had to gain consent to collect data, as well as separate consent to share that data with another entity.
Forget Me: Currently ‘consent’ goes on forever. GDPR introduces the concept that the individual owns the rights to the data, even after giving consent to it’s use, and allows the individual to withdraw that consent in the future, effectively enforcing the company to erase all data it had on a subject.
Portability: Users can request access to all personal data a company holds on them.
Notification: Should a breach in data occur, companies must notify supervisory authorities within 72 hours after becoming aware of the breach. What’s important here, is that companies are held to a sense of urgency and are accountable for communicating data breaches in a timely fashion.
Irregardless of the immediate impact of GDPR on US businesses, it seems inevitable that the US government will enact some type of data privacy legislation at some point in the future.
With cases like the one described in Equifax Data Breach: More Questions Than Answers, it is virtual certainty that US legislators will step up their urgency to protect citizens. If only for the grandstanding benefits – just depending on how cynical you are!
If it isn’t the federal government that pulls the trigger on this, several states are already making moves.
Here in North Carolina, Attorney General Josh Stein has introduced legislation to help expand and strengthen protection for N.C. residents. That legislation mirrors GDPR’s focus on quickly alerting citizens of a breach and extending the definition of “Personal Information.” You can read more about this proposed legislation in my post Act To Strengthen Identity Theft Protections.
But look at it this way.
The EU has been operating under a privacy directive since 1995, which set a baseline for privacy regulations but left it to the individual member states to enact specific laws. If the EU is any indication, the US Federal Government will probably do the same, stepping in to unify privacy protection for all it’s citizens with common legislation across the states.
SMBs at Risk
If you are still under the impression that small businesses just aren’t a target of hackers, think again. Check out What Breach? The Details You Need From The 2017 North Carolina Security Breach Report for details that prove exactly the opposite.
In fact, I wrote about this last year in my post Why SMBs are the Perfect Target for Hackers, describing in detail why SMBs are such a juicy target. I also highlight several key items you need to focus on when beefing up your security stance.
Mix the current state of security, the mountains of data available on individuals, and you have a recipe for disaster. The greatest risk is putting your business at risk without even knowing it.
The Three Questions
Here is a quick gut check to determine if you might be impacted by GDPR:
- Are an organizations located outside the EU that offer goods or services to EU data subjects?
- Do you monitor the behavior of EU data subjects?
- Do you process or hold personal data of residents of the EU?
If answer yes to any of these three, then you must comply with GDPR.
If you need assistance assessing your business exposure to GDPR or need help thinking through was to comply with the regulations, please give us a shout, we are happy to help.