The European Union's General Data Protection Requirement (GDPR) has officially entered become enforceable law. Many companies have spent countless hours working on policy implementation and legal reviews, yet, according to a spate of surveys, a surprisingly low number of businesses are GDPR-ready. Big tech companies, including Microsoft and Facebook, have announced global policy shifts in accordance with the law and signaled that more changes are on the way. If your company services any users in the EU ever (even if by chance), you should be making meaningful steps toward compliance now, if you haven't already.
Failure to comply with GDPR regulations warrants steep penalties: either 20 million Euros (roughly $24.7 million) or four percent of a company's revenue, whichever is higher. That's enough to shutter a small business for good. For non-compliant businesses, there may be hope in demonstrating to regulators that you've made a good-faith effort and are working toward compliance by hiring a consultant. But there a few things you should know about GDPR consultants before signing a contract. [Unfamiliar with the requirements of GDPR? Here's what small businesses need to know.]
Identifying experienced consultants
Data processing consultants know that GDPR has generated a lot of demand for their services, and so the industry has boomed seemingly overnight. Greg Sparrow, senior vice president and general manager of CompliancePoint, said this surge in consultants has left the industry divided between two major types of consultants.
"There are organizations or individuals who have been involved for the last 10 to 20 years, and GDPR is just part of their career path," Sparrow said. "Or there are those who really don't have much experience at all."
That creates a problem for companies, especially since many are racing the clock to come into compliance. Luckily, industry associations, such as the IAPP, have begun to offer certification programs to consultants that can help companies identify the legitimate consultants from those trying to capitalize on GDPR's implementation. But those GDPR-specific certifications are very new for many to have completed them. Also, Sparrow said, certification alone might not be enough.
"I would also tie [certification] in with industry experience," he said. "A lot of folks have certifications, but not practical industry experience. They walked out of college and got certified because they know [data privacy] is in demand. [It's important to] find that combination of certification and industry experience."
Sparrow recommended finding an experienced, certified consultant and then tying them into a companywide policy implementation process. That means bringing together consultants, legal teams, sales and marketing teams, and business operations to have a roundtable discussion about how to best proceed.
What can small businesses do?
For small businesses, the bill adds up quickly. Complying with GDPR is a massive undertaking, not to mention maintaining day-to-day operations while exploring new policies. In some cases, meeting all of the GDPR's requirements for transparency and consumer control of data represent a logistical nightmare for smaller businesses, especially those on a budget. So what can small businesses do?
"While GDPR compliance can be difficult for all organizations, small businesses face a number of unique challenges," said Dana Simberkoff, chief risk, privacy and information security officer at AvePoint. "If leaders of small and midsize businesses want to improve their security programs while keeping their budgets under control, the most important thing for them to understand is how data, people and location weave together to create patterns – both good and bad – across and within their organizations. Only by understanding your existing data can you effectively protect it."
Simberkoff suggested the following steps for small businesses concerned about complying with GDPR:
- Trust but verify: Employees handling data should be trained to identify and classify all sensitive data. Regularly ensure employees understand the policies in place, as well as the training and tools provided to them, and that these are all being integrated into daily operations.
- Understand your organization’s data: Be sure to fully understand how data is created, collected, processed and stored. Moreover, you need to know how data will be disposed. A thorough understanding will help companies develop wise policies; for example, delineating between work-related data and personal data.
"While a consultant can help small businesses implement these strategies, owners and their employees can definitely take care of these tasks themselves," Simberkoff said. "Not only does this ensure they're GDPR compliant, but it also saves them money and alleviates the risk of scammers getting ahold of their sensitive data."
It's also important for small businesses, who more commonly outsource data processing than large enterprises, to control how their vendors utilize the data they collect. Even if a small business does everything in its power to remain compliant, the company could find itself on the hook if one of their vendor partners fails to meet the standards set out by GDPR.
"Enforcement won't be just the responsibility of the EU, as businesses themselves will need to police their vendors to ensure the data the vendors are leveraging on their behalf is in fact compliant. If not, that opens up exposure," Thomas Pasquet, co-founder of Ogury. "Those unprepared companies are going to be in hot water as it takes longer than two to three weeks to change the way you collect and process data."
In other words, the best time to start working toward compliance was last month. The next best time is right now; today.
My company is based in the U.S. Why should I care?
While the GDPR covers the European Union, data is fluid and international in nature. Even if your company doesn't directly do business in Europe, you might be capturing and processing data that originated in the EU. That's enough to place you squarely within the scope of GDPR and place you at risk for those big fines if you fail to comply with the regulations.
"The new regulation will affect any business that deals with the data of EU citizens," Pasquet said. "Even if you have a small amount of data on citizens belonging to any of the countries that are enforcing GDPR, you could potentially receive hefty fines of up to $24.7 million or 4 percent of your annual turnover for the most serious breaches. With ramifications that dire, it's not a risk worth taking."
Even for those companies that are absolutely, 100 percent certain they are not collecting any data from EU citizens (which is no easy task,) working toward some semblance of GDPR compliance could be beneficial for a few reasons. According to Sparrow, not only is it a good brand-building exercise to demonstrate to consumers that you care about their privacy and are doing the best you can to protect it, but it also positions your company to better adapt as more regulations like GDPR inevitably crop up.
"Internationally this is where things are heading. If you're going to operate internationally, this is something you have to deal with," Sparrow said. "Whether you think you're in scope for GDPR or not, they should probably start down this path in some form or fashion. Organizations that will handle [future regulations] best are the ones that are doing things right now."
Hiring a consultant can help you parse the nuances of the law, and it can help you get an idea of what's coming down the pike. Just be sure you're hiring someone with a demonstrable track record of experience, strong references and a commitment to the industry. Checking all those boxes will keep you from getting burned by an incompetent or trustworthy contractor, and it will help ensure that your company is prepared to the best of its ability.