By now you may have heard about the EU’s General Data Protection Regulation, or GDPR. Frankly, this law passed two years ago is something that should have been on the radar of American companies since even before it was passed, given the wildly onerous burdens it places on any company that does any business anywhere in the EU. If you think that sounds like a scare tactic, you can read up on the GDPR yourself.
GDPR: A Breakdown
Let’s not mince words here: the GDPR is strict beyond strict and enforced more widely perhaps than any other technology-driven law that’s ever been enacted at the federal level. The reason the regulation is so daunting is simple: it applies to every company in the world that does any business within the EU or with someone residing in the EU. The moment your company collects any information about an individual residing in the EU, GDPR applies. That personal information is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life.” Examples range from a person’s address, email addresses, banking information, photos, medical information or, most importantly, their computer IP address.
If that sounds to you like anytime you do a sliver of business with someone from the UK that GDPR is going to apply to you, then welcome to the party, because that’s exactly what it means. If you’re wondering how your American business can comply with the law, it all comes down to how you process, store, and protect your data. As a Law.com post discussing GDPR notes, it all begins with making sure you know where your customer data resides and how it flows during the lifetime in which you keep it.
Among several key obstacles for companies, the first may be the toughest. Before a company can even begin to comply, it must make an exhaustive study of the data it keeps, where the information is stored, why it is kept, how it flows and how it is processed and used. And all that information, in the form of a data map, must be documented and continuously updated.
In truth, this is the least hair-raising part of GDPR, as this is something that a company should know anyway. Data is the lifeblood of the modern business and the protection and retention of that data should be both secure and documented. EMPIST does this every day for our clients, whether we’re actively performing data backups and DR for those clients or simply helping them manage their networks and systems on which that data resides. If you don’t know how your data is stored, protected, and backed up, you absolutely should.
It’s the other aspects of GDPR that tend to get the hair up on the backs of American businesses, because those aspects tend to deal more with documenting consent to retain customer data, deleting it upon request (known as the EU’s “right to be forgotten”), presenting that data to the customer upon request, anonymizing that data when the data is at rest through techniques like encryption or tokenization, and informing individuals when a data breach occurs. Make no mistake, these are all heavy burdens which American companies doing business in the EU must now shoulder, and they essentially make data protection and management a full-time position in and of itself.
And you can’t afford to skirt around GDPR either, given the penalties that can be assessed. Companies found violating GDPR are subject to fines of either 20 million euros or 4% of the company’s worldwide turnover from the previous year. Such sanctions can flatly spell the end of many small and mid-market companies.
The EMPIST Effect
The good news is that there are ways you can get help. EMPIST, in particular, makes data protection, storage, and backups a key part of its business. We also happen to have some of our offices in Europe and we have been very aware of GDPR and its implications as a result. If you need a consult when it comes to your company’s data and your exposure to GDPR, that’s a conversation we’re happy to have.