The increased email traffic is due to the General Data Protection Regulation, which made waves with its induction on May 25.
According to Beth Milito, Senior Executive Counsel with the NFIB Small Business Legal Center, “this new regulatory framework, which is intended to give European Union citizens more control over their personal data, applies to businesses that offer goods or services to customers in the EU, hence the flood of privacy notices to customers worldwide.”
What Is GDPR—and Why Am I Hearing About it Now?
The April 2016-adopted GDPR is a European Union replacement of the 1995 Data Protection Directive, which set the minimum standards for processing data in the EU, according to the Guardian. The GDPR will give individuals more clout to demand companies reveal or delete their personal data, and regulators will also be able to work alongside the EU. If a company that operates within the EU does not comply with GDPR, that company can face a maximum fine that can get as high as 20 million euros or 4 percent of a company’s global turnover.
Despite the regulation being an EU law, it applies to all companies that work within the EU, even if they are based in the United States. But as a small business who may be more focused on their Main Street customers than mainland Europe customers, it’s always good business to be transparent with customers about how you use their data.
The most affected sectors will be technology firms, marketing firms, and data brokerage firms. According to the Guardian, even complying with the basic requirements of data access and deletion will be a burden for some companies that may not have the tools for collating all the data they have on an individual.
To prepare for GDPR compliance, 36 percent of U.S.-based companies expected to spend between $50,000 and $100,000 to meet GDPR requirements. Another 24 percent expected to spend more than $1 million, as cited in a March 2018 Propeller Insights survey on CSO.
Only 21 percent of organizations are concerned about GDPR and have a plan in place.
What You Need to Do
GDPR compliance for U.S. businesses should include an investigation and audit of all data sources and identification of all saved personal data.
NFIB’s Milito recommends some initial steps for GDPR compliance. First, conduct privacy training so employees who handle personal customer data understand what’s at stake and know procedures for responding to a data breach. Review your company’s existing privacy statement and, where possible, simplify the policy so it’s easily understood by customers. Companies should also provide opt-in consent for marketing lists and make it easy for users to revoke consent.
After using the GDPR definition of personal data—information relating to natural persons who can be identified or who are identifiable, directly from the information in question or who can be indirectly identified from that information in combination with other information—set up the correct level of protection using three GDPR-approved techniques, which includes encryption, pseudonymization, and anonymization.
The final step is to perform an audit that will produce reports to clearly show regulators that you know what personal data you have and where it’s located, you properly manage the process for getting consent from individuals who are involved, you can prove how the personal data is used and for what purpose, and you have the appropriate processes in place to manage things like the right to be forgotten and data breach notifications, as outlined by the SAS Institute Inc.