THE DEADLINE for compliance with the European Union’s General Data Protection Regulation (GDPR) has come and gone, and odds are your SMB customers missed it.
Indeed, a month before May 25, when the law officially went into effect, industry association CompTIA Inc., of Downers Grove, Ill., found that just 13 percent of firms are fully compliant with GDPR. That same research found that a majority of surveyed businesses are unaware of the hefty fine they could get socked with for noncompliance.
Similarly, only 30 percent of SMBs understand GDPR or the implications of violating it, according to a ChannelPro reader survey conducted in May. Meanwhile, though 60 percent of readers say they understand GDPR, only 33 percent have designed and executed a GDPR compliance program for their customers.
“I would say most small and medium enterprises in the United States don’t know much about GDPR other than what they’re probably seeing from some of their service providers or some of their cloud providers,” says Sam Pfeifle, content director for the International Association of Privacy Professionals (IAPP), a nonprofit global information privacy community and resource based in Portsmouth, N.H.
Here’s a look at how to determine if GDPR applies to your customers, and how to get them into compliance ASAP if it does.
What Exactly Is GDPR?
GDPR gives EU citizens more control over their personal data. It includes the right to information about who is processing personal data; the right to access any personal data a business is holding; the right to request that incorrect, inaccurate, or incomplete personal data be corrected; and the right to request that personal data be erased when it’s no longer needed or if processing it is unlawful. In addition, GDPR requires businesses to report a breach of personal data within 72 hours.
“That’s something most organizations are not prepared to do right now,” says Greg Sparrow, senior vice president and general manager of CompliancePoint Inc., a Duluth, Ga.-based security consulting and auditing company.
Any business that collects or handles personal data of EU citizens or directly markets to the EU falls within the scope of GDPR. The good news, though, is that GDPR is not like Y2K, in which “on this magic day, May 25th, you’re either compliant or forget about it, the world ends,” Pfeifle says.
Instead, it’s more of a cultural change, according to Dana Simberkoff, chief risk, privacy, and information security officer at AvePoint, a provider of data classification and protection solutions in Jersey City, N.J. “It’s a change in the way that you do business, with regards to how you collect, create, use, share, end-of-life personal information,” she says.
The first step of that cultural change is to determine if GDPR applies to your customers, says Simberkoff, by asking these questions:
- Do they have employees who live in the EU?
- Do they provide goods and services to anyone living in the EU?
- Do they collect data about people who live in the EU?
If the answer to any of the above is “yes,” the next step is to understand what data the customer processes. Start by asking these questions, IAPP’s Pfeifle suggests:
- What kind of data do they collect?
- Where do they hold it?
- What do they use it for?
- When do they destroy it?