The General Data Protection Regulation (GDPR) is a landmark privacy regulation coming into effect in the European Union on May 25. It’s a big deal for everyone, but it’s especially crucial that entrepreneurs and their businesses take the necessary steps to be compliant.
If you still haven’t investigated the regulation or if you don’t understand how it relates to you, don’t panic. We put together a list to clarify some common GDPR misconceptions and distill exactly what you need to know about the compliance process.
Oh, by the way, this isn’t legal advice. Get your own lawyer!
1. Accept that GDPR will affect your business.
…even if you don’t work in the European Union.
There are a lot of misconceptions around the internet about who is affected by GDPR. Legally your business must be compliant if it offers a good or service to, or monitors the behavior of, an European Economic Area (EEA) resident.
At an extreme minimum, every company in the world must take steps to definitively determine whether or not this expansive territorial scope definition applies to their business.
At an extreme minimum, every company in the world must take steps to definitively determine whether or not this expansive territorial scope definition applies to their business. (And to prevent it from applying in the future if they choose not to comply with the regulation.)
Sounds straightforward, right? Nope!
The definition of “good”, “service”, and “monitor” are so vague that the scope of GDPR is considered by experts to be extremely broad. For example, if you have website with any EEA traffic that includes behavior-based advertising or analytics tools for behavior tracking, spoiler alert, you are in scope of the GDPR.
It’s also important to note that the GDPR doesn’t just apply to customers in the EEA. Employees, job applicants, contractors, advisors, family members you invited to the company picnic — everyone is included if you offer them a good or a service, or monitor them in some way. When you consider how much of this personal information (including names, email addresses, phone numbers, etc.) a modern business uses, it quickly becomes clear that this in itself is a laborious and complicated undertaking.
Consider the following thought experiment: When your employee’s Icelandic ex-boyfriend requests that the group photo (that included him) from this year’s company picnic be removed from your company website and social media, do you know your company’s legal responsibilities?
2. Comply, or risk becoming untouchable.
The legal scope of the GDPR is broad, but the true effects will be much more widespread.
Every business that is GDPR compliant is liable for the personal data they share with other businesses, which means the expectation for GDPR compliance moves up and down supply chains to companies that don’t actually offer services or goods to EEA residents. The practical result of this is that many businesses (like ours) are moving away from service providers who have not been able to reasonably demonstrate their dedication to compliance.
In particular, if you run a U.S.-based company, it will soon become nearly impossible to do business with other companies without a Privacy Shield certification. (We’ve already parted ways with several vendors that we loved for this very reason, despite pleading with our attorney to find us some creative way to allow a continued relationship.)
We’ve already parted ways with several vendors that we loved, despite pleading with our attorney to find us some creative way to allow a continued relationship.
And even beyond GDPR, there is a growing consumer expectation for respect of personal data. To keep their customers, businesses eventually will have to be more responsible about how they handle personal information, regardless of where they’re located. Why not start now, before it becomes a bigger problem?
3. Budget a lot of time and money.
We’re a small company that likes to use our time (and especially our attorney’s time) as efficiently as possible. We still spent several thousand U.S. dollars on specialist attorney fees and documents; about a thousand U.S. dollars on various government regulator fees; a month formalizing and documenting policies and procedures; a couple weeks taking stock of all the personal data we use, where it lives, and who has access; and several more weeks conducting staff training, updating our information security practices, and making required privacy changes to our digital systems.
Some of the compliance timeline is out of your control. Specifically, Privacy Shield for U.S.-based business takes some time to be reviewed by the relevant government agencies. Approval of our Privacy Shield application (which we had professionally reviewed beforehand and required no adjustments) took more than two weeks.
Every company will have a different experience, but the common theme I hear from companies is that the process is more expensive and more time consuming than originally anticipated. Plan accordingly.
4. Don’t lose sight of prevention.
The GDPR is most detailed around reactive measures (like responding to data subject requests, or issuing breach notices), but don’t let that divert your focus from the importance of prevention. Treat people fairly and honor their requests. Be smart about how you handle and store data. And absolutely nail your information security practices.
Take this opportunity to do GDPR-unrelated security work to avoid ever having to need to activate your GDPR-required incident response plans.
If you don’t have in-house information security expertise, you should really hire a consultant. At a minimum, tick every box on this excellent security checklist from our friends at Sqreen. And take staff information security training really seriously. (It will save you a lot of money someday when a teammate deletes a spear phishing email instead of falling victim to it.)
In short, take this opportunity to do GDPR-unrelated security work to avoid ever having to need to activate your GDPR-required incident response plans.
5. Don’t start from scratch.
The GDPR has many pieces. If you’re tight on time, build off of the work of others. Specialist attorneys who have guided other companies through this process have great resources at their disposal which you should take advantage of early in the process. You could also team up with another company in a similar situation and with a similar policy mindset, or work off of professionally assembled document templates (like this one available from CertiKIT).
Templates can give you a good perspective of all of the pieces you should have in place, and a good organizational system to work off of, but they can’t and shouldn’t define your actual company policies. Expect a fair amount of work even with the head start, and be very thoughtful about how to meaningfully incorporate policies into your company’s DNA.
6. Hire an expert.
There are too many questionable interpretations around the GDPR to MacGyver your entire compliance strategy. Period. Hiring a specialist attorney for a handful of hours will set you on the right path, save you a ton of time (and a ton of money if you end up in a GDPR-related legal situation down the road), and allow you to sleep peacefully at night.
The picture painted by these lessons may seem grim, but it’s not all bad! The GDPR is a huge step forward for the protection of the fundamental human right to privacy. At bottom, it’s all about forcing companies to respect people’s data. As a respectful business owner, your GDPR compliance process should ultimately consist of solidifying and formalizing practices that you’ve been living by for ages. And you just might learn a thing or two about your business along the way.
So yes, GDPR compliance takes time and money, but if it means living in a more respectful world, then it’s time and money well spent.