GDPR by the Numbers: What this Means for SMBs
The European Union's General Data Protection Regulation goes into effect tomorrow, Friday, May 25th. This means that businesses operating – or collecting the information of citizens based – in the E.U. will have to comply with new data processing and notification standards. The intention is to enhance personal privacy, and increase transparency about how data is being used. Companies found to be in violation of GDPR will be faced with hefty fines, depending on the severity of their infringement.
Our new infographic offers a high level overview of the financial impact GDPR can have on businesses that are unprepared:
How to Prepare Your SMB for GDPR
- Conduct a risk assessment and review your customer touch points. Now is the time to take inventory of your channels, including websites, landing pages and third-party lead generators.
- Check that your opt-in language adheres to GDPR consent standards:
- Is your language unambiguous?
- Is the consent form separate from the terms and conditions?
- Are opt-in boxes unchecked?
- Have you named all parties in need of user consent?
- Is it easy for a user to withdraw?
- Now that your language has been amended, it is time to focus on user data. Data transfers must be made in a secure and private manner, preferably encrypted. If data has been encrypted, and the keys to said encryption have not been compromised, it is not a reportable event.
- Check in with your third-party partners. Are they also complying with GDPR regulations? If not, they may be sharing non-compliant data, which poses long-term liabilities.
- Document all GDPR compliance efforts. GDPR necessitates that companies maintain clear user records, especially demonstrations of consent. Ensure that your company is keeping a thorough, timestamped record of all relevant documents.
- Amend your company's data protection plan. Do your company's standard practices align with those put forth by GDPR? Have you checked that your mobile devices are also compliant?
- Consider hiring a DPO. They can assist in preparatory measures such as testing incident response plans. If necessary, would your company be able to report on a data breach within 72 hours? The DPO can help this process run smoothly through risk-minimization training.
For more information on any of the above recommendation, please reach out to iCorps for a free IT consultation.
Pennsylvania's Data Breach Reporting Law & Requirements Overview
What are Massachusetts' Data Breach Notification Requirements?
What are New York's Data Breach Notification Requirements?