Does it apply to you? Since the EU rolled out the General Data Protection Regulation (GDPR) last year, large enterprises have been scrambling to reduce the risk of non-compliance associated with the new privacy regulations. But you may be wondering: How does GDPR affect small and medium US-based companies and startups?
Should you be worried? It depends. GDPR jurisdiction applies to all companies processing the personal data of anyone living in the EU, regardless of the company’s location. If you have partners, customers, or clients in Europe, you potentially need to comply . Plus, violations come with hefty fines (4% of annual revenue), which no bootstrapped outfit can afford. GDPR Article 29 states that companies under 250 employees may need to comply with the regulations if they:
Process data that could risk/affect the rights and freedoms of individuals Process personal data on a regular basis Process data which is covered by Article 9 of the GDPR
Are startups being fined yet? Perhaps intentionally, the regulation’s reach is quite generalized. If any of these situations above apply to your business - regardless of size - then you must comply with all aspects of GDPR. Of course, the devil will be in the interpretation and application of the law. In the first year since GDPR went live, regulators were more heavily focused on larger companies such as Google and Facebook, and pursuing cases they had a high chance of winning. This was done intentionally so as not to appear as overreaching.
We sense that enforcement will tend to be more broad than narrow in the future, as the regulators increase the number of resources to pursue more cases, and they have a foundation of case law to rely upon. The reasoning behind this conclusion is that Article 8 (1) of the Charter of Fundamental Rights of the European Union has included privacy rights as a human right. This alone justifies a demand for more rigid adherence. The practical implications are that any tech firm, no matter how large or small, is subject to being identified as a processor of personal data.
5 steps to GDPR compliance
If you have yet to adhere to GDPR regulations, here are concrete steps businesses can take to shield themselves from non-compliance penalties. The list of policies and controls is not daunting once you look at it closely - you can do it! Here are the five main steps you need to take to comply with GDPR:
Beef up consent and disclosures. Update user notices. Privacy is no longer a commercial transaction codified in Terms of Service agreements. Apply transparency, documentation and evidentiary compliance in key operations. Audit and document lawful and legitimate access to user data. Document rationale. Implement annual audits to verify compliance.
Demystify & automate GDPR compliance
No matter how onerous the task may be, ignoring the situation could put your entire operation in jeopardy. Furthermore, if you plan to grow, it’s best to implement solutions now rather than adopt piecemeal fixes later. This is especially important if you consider the retroactive nature of some sections of GDPR. Proactive firms that adopt robust practices will avoid problems down the road. However, most startups lack the in-house resources to achieve full compliance. Fortunately there are now technology platforms, such as Tugboat Logic, that have made Do-It-Yourself GDPR compliance a reality. Tugboat Logic demystifies the process by providing prebuilt policies, controls, templates for GDPR such as:
Tech startups and small and medium enterprises would be wise to enlist the services of experts that can minimize any GDPR non-compliance risk.
What’s the state of your company’s GDPR readiness? Curious if you need GDPR and how prepared you are for it? Take our GDPR Readiness Surveyto see how you stack up. We will score your answers and provide you with a custom GDPR Readiness Report at the end.