Hold it right there, small businesses—it’s the authorities. We’ve got you surrounded. Don’t try nothing fancy. Come out with your hands up; slow and steady. That’s right. Do you not see your face on the wanted poster: you’re guilty of the high crime of missing the GDPR deadline!

As of May 25, 2018 if your small business hosts EU citizen data and is not compliant with the General Data Protection Regulation (GDPR), you’ll face fines as high as 20 million euros or 4 percent global turnover—whatever makes you shake in your boots more.

But for many small businesses, becoming compliant by the GDPR deadline has been a costly, time taxing venture, and attempting to comply after the GDPR deadline has passed is like trying to catch a runaway train.


WANTED BY THE GDPR: 
You’re not alone. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. We can infer an even greater number aren’t in compliance with the GDPR presently, at its May 25, 2018 launch.

RECOMMENDATION:  If your small business missed the GDPR deadline, your immediate goals should be to comply with the GDPR as soon as possible to avoid fines that could result in your business giving up the ghost.

So what can your small business do if you missed the GDPR deadline? The first step is to arm yourself with information. In this article, I will answer common GDPR questions and provide 3 immediate actions to help get you on the right side of data privacy law.

 

On the run from the GDPR? Start here:

There’s a new sheriff in town
GDPR’s Most Wanted
3 actions to take if you’ve missed the GDPR deadline
Our Recommendation: Comply or Die
Stay on the right side of data privacy law with these recommended resources

There’s a new sheriff in town

It’s here. After a two-year wind up (first adopted by the European Union in 2016), endless hype, and anticipation, May 25, 2018 marks GDPR’s opening day. The GDPR is putting, once and for all, an end to the lawless “Wild West” of privacy protections for EU citizen data. But you could say the GDPR has been an even longer time coming. It’s an update to the EU’s 1995 Data Protection Directive, which EU member states currently operate. It has been called the most impactful data privacy legislation of the last 20 years.

The GDPR introduces data privacy laws that companies in its borders must comply—and GDPR’s territories include all companies that preside over EU citizen data, including companies who physically exist outside of the European Union.

Immediately, what this means is that worldwide, it’s open season on companies hosting any EU personally identifiable information (PII). If you host PII of European customers, partners, or staff, your small business must comply with GDPR’s tightened screws of data privacy protections or face fines for noncompliance.

To read the GDPR’s legislative text yourself, you can access the source articles and recitals here: GDPR.

GDPR’s Most Wanted

what to do if you missed the GDPR deadlineIf the GDPR affects your company, and you’ve missed the May 25, 2018 deadline, you are now on GDPR’s most wanted list—at risk of noncompliance fines.

GDPR noncompliance fines are tiered and ratchet up based on the severity and frequency of offenses:

~10 million Euros or 2 percent global turnover (whichever is higher)

~20 million Euros or 4 percent global turnover (whichever is higher)

Supervisory authorities of each member state in the EU will administer these fines, though details are still scarce on what specific regulatory bodies will play the role as judge or executioner. Factors such as intention, nature of infringement, steps to limit damages, or even cooperativeness with data regulators will all be taken into consideration when determining repercussions for noncompliance.

Finally it’s important to note that GDPR fines will be levied when data is found noncompliant for any reason. This includes erroneous exposure caused by staff negligence or even cyber security hacks. GDPR fines will be levied on-top of the fallout of a data breach, making a bad situation worse.

While it remains to be seen what the actualities of these fines will incur—no one will know until companies begin getting dragged to court—the GDPR, as written, does not mince words: the possibility of legal forfeiture is very real.

If your small business missed the GDPR deadline, you need to become compliant as soon as possible or face the consequences.

If you’ve missed the GDPR deadline…

 

Ask yourself (and your data) the hard questions:

If you’ve missed the GDPR deadline, the first step to right the ship is to assess why you missed it. You must answer these kinds of questions to make progress. Here are a few to get you started:

Are you a data controller? – Gartner Research Director Bart Willemsen defines a data controller as an organization “that decides on why and how personal data is processed.”

Does you small business typically process PII beyond the purpose for which it was gathered? – If yes, you need to ensure you attain proper consent from your users.

Do you have systems in place to process data from minors? – GDPR dictates that minors (under age 16) must have the legal—explicit—consent of their parents or guardian(s).

 

Fall in love with a data protection officer:

According to a study conducted by The Data Compliance Doctors, an IT consultancy firm, 25 percent of SMBs hired new staff to handle compliance.

If your small business was late to the GDPR deadline, a data protection officer can be a very valuable hire. A data protection officer is someone whose job it is to promote data privacy and help you comply with data privacy regulations like the GDPR.

A data protection officer can help your small business identify the reasons why it is not in compliance with the GDPR and how to get there. Fall in love with a data protection officer here.

 

Recite the data subject bill of rights:

Data subjects, or the individuals whose data is processed by your small business, have gained additional rights under the GDPR. Here are a few:

1. Right to be forgotten – an individual’s unrestricted right to request the deletion of their PII, content, and other types of data records held by an organization.

2. Right to data portability – an individual’s right to easily migrate and transfer their PII across services, devices, and IT environments without limiting its ability to be used.

3. Right to be informed – an individual’s right to be provided advance—or at the earliest possible time—notification of status or how their PII is collected, used, and acted on (e.g., security breaches, retention periods, technologies used in data processing such as automation).

Today, if one of your data subjects made one of these requests for information, could you fulfill their request in an accurate, timely manner? Do you have a process in place or chain of command to meet this need?

If you missed the GDPR deadline, your small business needs to figure out how to accommodate these new rights either with your existing systems and workflow, or by expanding your capabilities.

Gartner’s Bart Willemsen advises businesses to take action sooner rather than later:

“If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls,” said Willemsen.

Our Recommendation: Comply or Die

1. “Like cutting off your own arm!” Dont ban your EU users to get out of complying with the GDPR: To avoid complications, cost, and worries associated to GDPR compliance, some multinational companies have blocked all EU citizen IP addresses from their services. This cauterization of EU data subjects may solve short-term issues, but even if your current location is not subject to GDPR jurisdiction, undoubtedly, data privacy laws will be washing ashore in your region not before long. You should plan for a data privacy-minded future.

2. Stop writing user agreements, privacy policies, and GDPR consent forms that nobody can understand: Create privacy policies that are meant to be read and understood—this is also an opportunity to build stronger, more bountiful customer/staff relationships. Here’s a toolkit to help you create better privacy policies (Available to Gartner clients).

3. Use GDPR changes as an updraft to create a data privacy aware company: The GDPR conversation must travel past you company’s IT and data security circles. From marketing to human resources, GDPR and data privacy are relevant and will impact your employees. Conduct GDPR awareness training to help your company make unified data privacy decisions across every department.

4. Consult your lawyer: If you’ve missed the GDPR deadline, it can feel like you only have 20 paces before reckoning with GDPR regulators. But don’t panic; at this stage, the best advice anyone can give is to consult legal counsel.

Stay on the right side of data privacy law with these recommended resources:

Did you miss the GDPR deadline? IT security software or data management software could be effective tools to help your small business comply with the GDPR. You can also consult these articles for more information and best practices to guide your GDPR compliance efforts.


Note: This article is intended to inform our readers about the current data privacy and security challenges experienced by companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.